felixalb/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: felixalb:main
Branches Tags
felixalb:main felixalb:nixos-25.11
..
compare: felixalb:1ade601ce95f5621b4e6c7e31228dd05263b3c68
Branches Tags
felixalb:main felixalb:nixos-25.11

1 Commits
main ... 1ade601ce9

Author SHA1 Message Date
Felix Albrigtsen
1ade601ce9 all/voyager: update to nixos 24.05 2024-05-31 22:19:23 +02:00
146 changed files with 8800 additions and 6076 deletions
Expand all files Collapse all files

43
.sops.yaml
View File

@@ -1,50 +1,27 @@
keys: keys:
- &bw_recovery age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur - &user_felixalb_old age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
- &host_burnham age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct - &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
- &host_challenger age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773 - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
- &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64 - &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
- &host_morn age14ar8q5454khxxf5ur2nxwk533nzycz2lh3635qwz35wh8yq0jpqskj2ksx
- &user_felixalb_sisko age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl
- &user_felixalb_worf age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
creation_rules: creation_rules:
# Global secrets # Global secrets
- path_regex: secrets/[^/]+\.yaml$ - path_regex: secrets/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bw_recovery - *user_felixalb_old
- *user_felixalb_sisko - *user_felixalb
- *user_felixalb_worf
# Host specific secrets # Host specific secrets
- path_regex: secrets/burnham/[^/]+\.yaml$ - path_regex: secrets/voyager/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *host_burnham - *host_voyager
- *bw_recovery - *user_felixalb_old
- *user_felixalb_sisko - *user_felixalb
- *user_felixalb_worf
- path_regex: secrets/challenger/[^/]+\.yaml$
key_groups:
- age:
- *host_challenger
- *bw_recovery
- *user_felixalb_sisko
- *user_felixalb_worf
- path_regex: secrets/defiant/[^/]+\.yaml$ - path_regex: secrets/defiant/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *host_defiant - *host_defiant
- *bw_recovery - *user_felixalb
- *user_felixalb_sisko
- *user_felixalb_worf
- path_regex: secrets/morn/[^/]+\.yaml$
key_groups:
- age:
- *host_morn
- *bw_recovery
- *user_felixalb_sisko
- *user_felixalb_worf

11
README.md
View File

@@ -1,7 +1,5 @@
## Felixalbs nixos config ## Felixalbs nixos config
![](https://github.com/NixOS/nixos-artwork/blob/master/releases/24.05-uakari/uakari.png?raw=true)
Contains configurations for some nixos servers, some nixos desktops and a [nix-darwin](https://github.com/LnL7/nix-darwin) host. Contains configurations for some nixos servers, some nixos desktops and a [nix-darwin](https://github.com/LnL7/nix-darwin) host.
Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix). Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix).
@@ -26,20 +24,19 @@ Other installed packages and tools are described in the config files (like ./hos
## Public / important services ## Public / important services
- Matrix ([source](./hosts/defiant/services/matrix/default.nix)) - Decentralized, encrypted chat - Contact me at @felixalb:feal.no - Matrix ([source](./hosts/defiant/services/matrix/default.nix)) - Decentralized, encrypted chat - Contact me at @felixalb:feal.no
- [Nextcloud](https://cloud.feal.no) ([source](./hosts/challenger/services/nextcloud.nix)) - Personal cloud services and "google replacements", including file hosting, notes, calendar and webmail - [Nextcloud](https://cloud.feal.no) ([source](./hosts/voyager/services/nextcloud.nix)) - Personal cloud services and "google replacements", including file hosting, notes, calendar and webmail
- [Gitea](https://git.feal.no) ([source](./hosts/defiant/services/gitea.nix)) - Software forge / git server - [Gitea](https://git.feal.no) ([source](./hosts/defiant/services/gitea.nix)) - Software forge / git server
- [Hedgedoc](https://md.feal.no) ([source](./hosts/defiant/services/hedgedoc.nix)) - Collaborative markdown notes editor - [Hedgedoc](https://md.feal.no) ([source](./hosts/defiant/services/hedgedoc.nix)) - Collaborative markdown notes editor
- HomeAssistant ([source](./hosts/defiant/services/home-assistant.nix))- Home automation / IOT controller - HomeAssistant ([source](./hosts/defiant/services/home-assistant.nix))- Home automation / IOT controller
- [VaultWarden](https://pw.feal.no) ([source](./hosts/defiant/services/vaultwarden.nix)) - BitWarden Password Manager backend - [VaultWarden](https://pw.feal.no) ([source](./hosts/defiant/services/vaultwarden.nix)) - BitWarden Password Manager backend
- [KeyCloak](https://iam.feal.no) ([source](./hosts/defiant/services/nextcloud.nix)) - Authentication provider, giving SSO with OIDC or SAML - [Kanidm](https://auth.feal.no) ([source](./hosts/voyager/services/kanidm.nix)) - Authentication provider with support for OAuth2/OIDC, LDAPS, SSH, etc.
- [Jellyfin](https://jf.feal.no) ([source](./hosts/challenger/services/jellyfin.nix)) - Local media streaming - [Jellyfin](https://jf.feal.no) ([source](./hosts/voyager/services/jellyfin.nix)) - Local media streaming
## Networking ## Networking
- I use *nginx* as a web server and reverse proxy. The configuration is mostly distributed throughout the services that use it ([example](https://git.feal.no/felixalb/nixos-config/src/commit/3a05681d10a6999f73cbef59c3999742b81947a6/hosts/defiant/services/hedgedoc.nix#L98)). - I use *nginx* as a web server and reverse proxy. The configuration is mostly distributed throughout the services that use it ([example](https://git.feal.no/felixalb/nixos-config/src/commit/3a05681d10a6999f73cbef59c3999742b81947a6/hosts/defiant/services/hedgedoc.nix#L98)).
- A long time ago, I switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix). - I recently switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix) and [here](./hosts/burnham/services/wireguard.nix).
- PiHole ([source](./hosts/defiant/services/pihole.nix)) run my internal DNS (\*.home.feal.no) and ad blocking. - PiHole ([source](./hosts/defiant/services/pihole.nix)) run my internal DNS (\*.home.feal.no) and ad blocking.
- A simple custom DynDNS thing is defined [here](./common/domeneshop-dyndns.nix) and used [here](./hosts/defiant/services/dyndns.nix).
## Monitoring ## Monitoring

32
base.nix
View File

@@ -5,8 +5,8 @@
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
networking = { networking = {
domain = lib.mkDefault "home.feal.no"; domain = "home.feal.no";
nameservers = lib.mkDefault [ "192.168.10.175" "192.168.10.1" "1.1.1.1" ]; nameservers = [ "192.168.10.175" "192.168.10.1" "1.1.1.1" ];
useDHCP = lib.mkDefault false; useDHCP = lib.mkDefault false;
}; };
@@ -29,20 +29,27 @@
trusted-users = [ "felixalb" ]; trusted-users = [ "felixalb" ];
builders-use-substitutes = true; builders-use-substitutes = true;
}; };
registry= {
nixpkgs.flake = inputs.nixpkgs;
};
nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
}; };
programs.zsh.enable = true; programs.zsh.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
bat
bottom bottom
duf
eza eza
file file
git git
gnugrep gnugrep
gnutar gnutar
htop htop
iotop neofetch
lm_sensors
nix-output-monitor nix-output-monitor
p7zip p7zip
python3 python3
@@ -50,19 +57,12 @@
rsync rsync
screen screen
unzip unzip
usbutils
vim
wget wget
zip zip
] ++ lib.optionals (pkgs.stdenv.isLinux) [
dmidecode
lm_sensors
pciutils
]; ];
services.openssh = { services.openssh = {
enable = true; enable = true;
openFirewall = lib.mkDefault true;
settings = { settings = {
PermitRootLogin = "no"; PermitRootLogin = "no";
PasswordAuthentication = false; PasswordAuthentication = false;
@@ -76,7 +76,7 @@
''; '';
}; };
programs.mosh.enable = true; networking.firewall.allowedTCPPorts = [ 22 ];
users.users.felixalb = { users.users.felixalb = {
isNormalUser = true; isNormalUser = true;
@@ -84,12 +84,12 @@
"wheel" "wheel"
"docker" "docker"
]; ];
uid = lib.mkDefault 1000; uid = 1000;
openssh.authorizedKeys.keys = lib.mkDefault [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTXSL0w7OUcz1LzEt1T3I3K5RgyNV+MYz0x/1RbpDHQ felixalb@worf"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTXSL0w7OUcz1LzEt1T3I3K5RgyNV+MYz0x/1RbpDHQ felixalb@worf"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFiPHhj0YbklJnJNcxD0IlzPxLTGfv095H5zyS/1Wb64 felixalb@edison.home.feal.no"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5M7hYl3saBNMAo6sczgfUvASEJWFHuERB7xvf4gxst nix-builder-worf" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5M7hYl3saBNMAo6sczgfUvASEJWFHuERB7xvf4gxst nix-builder-worf"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJky33ynjqyWP+hh24gFCMFIEqe3CjIIowGM9jiPbT79 felixalb@sisko.home.feal.no"
]; ];
shell = pkgs.zsh; shell = pkgs.zsh;
}; };

15
common/auto-upgrade.nix
View File

@@ -1,15 +0,0 @@
{ config, pkgs, lib, ... }:
{
system.autoUpgrade = {
enable = true;
flake = "git+https://git.feal.no/felixalb/nixos-config.git";
flags = [
# Override nixpkgs (only). Notably does not include home-manager, sops or other utility/application flake inputs.
"--refresh"
"--override-input" "nixpkgs" "github:NixOS/nixpkgs/nixos-25.11"
"--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable"
"--no-write-lock-file"
];
};
}

45
common/domeneshop-dyndns.nix
View File

@@ -1,45 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.domeneshop-dyndns;
in {
options.services.domeneshop-dyndns = {
enable = lib.mkEnableOption "Domeneshop DynDNS";
domain = lib.mkOption {
type = lib.types.str;
description = "Domain name to configure";
};
netrcFile = lib.mkOption {
type = lib.types.path;
description = "Path to the file that contains `machine api.domeneshop.no login <DDNS_TOKEN> password <DDNS_SECRET>` from https://domene.shop/admin?view=api";
};
startAt = lib.mkOption {
type = lib.types.str;
default = "*:0/10"; # Every 10 minutes
description = "Systemd onCalendar expression for when to run the timer";
};
};
config = lib.mkIf cfg.enable {
systemd.services.domeneshop-dyndns = {
serviceConfig.LoadCredential = "netrc:${cfg.netrcFile}";
startAt = cfg.startAt;
script = ''
DNSNAME="${cfg.domain}"
NEW_IP="$(${lib.getExe pkgs.curl} --silent https://ipinfo.io/ip)"
OLD_IP="$(${lib.getExe pkgs.getent} hosts "$DNSNAME" | ${lib.getExe pkgs.gawk} '{ print $1 }')"
if [[ "$NEW_IP" != "$OLD_IP" ]]; then
echo "Old IP ($OLD_IP) does not match new IP ($NEW_IP), updating..."
${lib.getExe pkgs.curl} --silent --netrc-file "$CREDENTIALS_DIRECTORY/netrc" "https://api.domeneshop.no/v0/dyndns/update?hostname=$DNSNAME&myip=$NEW_IP"
else
echo "Old IP ($OLD_IP) matches new IP ($NEW_IP), exiting..."
fi
'';
};
};
}

8
common/pwndbg-gdb-alias.nix
View File

@@ -1,8 +0,0 @@
{ pwndbg }:
# "$ coredumpctl gdb" always runs "gdb" from your path.
pwndbg.overrideAttrs ({ installPhase ? "", ... }: {
installPhase = installPhase + ''
ln -s $out/bin/pwndbg $out/bin/gdb
'';
})

81
common/securecrt.nix
View File

@@ -1,81 +0,0 @@
{
lib,
stdenv,
fetchurl,
autoPatchelfHook,
dpkg,
cups,
gtkmm3,
icu74,
krb5,
makeWrapper,
openssl,
pango,
python312,
xcb-util-cursor,
xorg,
}:
let
packageId = "scrt_ubuntu2464_deb_963";
in stdenv.mkDerivation rec {
pname = "securecrt";
version = "9.6.3";
src = fetchurl {
url = "https://www.vandyke.com/cgi-bin/download_1.php";
name = "${pname}-${version}.deb";
curlOpts = "-X POST --data 'pid=${packageId}&export_check=accept&country=no&su";
sha256 = "sha256-PsFuxJ7H0rJCWWi+rvzrlRUJlp9R4MG14d883/kl9Lo=";
};
unpackCmd = "dpkg -x $curSrc source";
nativeBuildInputs = [
dpkg
autoPatchelfHook
];
buildInputs = [
cups
gtkmm3
icu74
krb5
makeWrapper
openssl
pango
python312
xcb-util-cursor
xorg.xcbutilkeysyms
xorg.xcbutilwm
];
dontConfigure = true;
dontBuild = true;
dontWrapQTApps = true;
installPhase = ''
runhook preInstall
mkdir -p "$out"
cp -R usr/* "$out/"
wrapProgram "$out/bin/SecureCRT" --set QT_QPA_PLATFORM_PLUGIN_PATH "$out/lib/scrt/plugins/platforms"
runhook postInstall
'';
meta = with lib; {
homepage = "https://www.vandyke.com/products/securecrt/unix.html";
description = "Terminal emulator for computing professionals, with advanced session management";
license = {
free = false;
fullName = "Unknown / Custom";
};
platforms = with lib.platforms; linux ++ darwin ++ windows;
broken = !(stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isx86_64);
};
mainProgram = "SecureCRT";
}

44
common/wireguard-peers.nix
View File

@@ -1,44 +0,0 @@
[
{ # Sulu
publicKey = "j6YVekgGS4nhL5zUiOTeK2BVQkYGlTQaiUpwcqQyfRk=";
allowedIPs = [
"10.100.0.3/32"
];
}
{ # Worf
publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
allowedIPs = [
"10.100.0.4/32"
];
}
{ # Phone
publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
allowedIPs = [
"10.100.0.5/32"
];
}
{ # Riker
publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
allowedIPs = [
"10.100.0.6/32"
];
}
{ # fa-t14-2025
publicKey = "UPpUVWQqOKT65MFym1sFDTstNmuynDYE4LOOtbWqEng=";
allowedIPs = [
"10.100.0.7/32"
];
}
{ # Turtle
publicKey = "mDzAtRPv+O5TDHa9DGodF/KKuFXRBYwSqfPyeWfdfRI=";
allowedIPs = [
"10.100.0.8/32"
];
}
{ # Amalies phone
publicKey = "Iqoq00e5rUNygmjOKmSPzvDTzvUdpxkpwVrD6UJXG2w=";
allowedIPs = [
"10.100.0.9/32"
];
}
]

197
flake.lock generated
View File

@@ -1,28 +1,13 @@
{ {
"nodes": { "nodes": {
"extra-config": {
"locked": {
"lastModified": 1745649002,
"narHash": "sha256-XNBExt3+U3o4lip+yj6oorCEPZ9Qe8PzBSFM5ZzVtSA=",
"ref": "refs/heads/main",
"rev": "50c9c15db2b309d299b1c19089c962979e01f45b",
"revCount": 13,
"type": "git",
"url": "file:///home/felixalb/nix-extra-config"
},
"original": {
"type": "git",
"url": "file:///home/felixalb/nix-extra-config"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1747046372, "lastModified": 1673956053,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -36,11 +21,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1681202837,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -56,32 +41,30 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1764776959, "lastModified": 1716736833,
"narHash": "sha256-d+5CGloq7Lo1u2SkzhF8oiOdUc6Z5emh22nTXUB9CFA=", "narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "e1680d594a9281651cbf7d126941a8c8e2396183", "rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-25.11", "ref": "release-24.05",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
}, },
"matrix-synapse-next": { "matrix-synapse-next": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": "nixpkgs"
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1765214213, "lastModified": 1710311999,
"narHash": "sha256-WSk8CTdIDFFP5VMJj9beve19nPMMdTsWnkCHVXqO/3E=", "narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
"owner": "dali99", "owner": "dali99",
"repo": "nixos-matrix-modules", "repo": "nixos-matrix-modules",
"rev": "82959f612ffd523a49c92f84358a9980a851747b", "rev": "6c9b67974b839740e2a738958512c7a704481157",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -93,20 +76,20 @@
"nix-darwin": { "nix-darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs-darwin" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1764161084, "lastModified": 1710717205,
"narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=", "narHash": "sha256-Wf3gHh5uV6W1TV/A8X8QJf99a5ypDSugY4sNtdJDe0A=",
"owner": "nix-darwin", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "e95de00a471d07435e0527ff4db092c84998698e", "rev": "bcc8afd06e237df060c85bad6af7128e05fd61a3",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-darwin", "owner": "lnl7",
"ref": "nix-darwin-25.11", "ref": "master",
"repo": "nix-darwin", "repo": "nix-darwin",
"type": "github" "type": "github"
} }
@@ -115,16 +98,14 @@
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nixpkgs": [ "nixpkgs": "nixpkgs_2"
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1764813963, "lastModified": 1710638386,
"narHash": "sha256-Vs7Mamto+T8r1evk9myHepgHGNJkS2Kr0BF64NIei94=", "narHash": "sha256-8etSpxJaCYBWTViHqQRR6o76WfDX2CuD1o2UQXQrwao=",
"owner": "Infinidoge", "owner": "Infinidoge",
"repo": "nix-minecraft", "repo": "nix-minecraft",
"rev": "491200d6848402bbab1421cccbc15a46f08c7f78", "rev": "8f292bc64336ac9559d33c9a074a214d783a4c8e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -135,89 +116,92 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1764677808, "lastModified": 1706098335,
"narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=", "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "1aab89277eb2d87823d5b69bae631a2496cff57a", "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.11",
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1710628718,
"narHash": "sha256-y+l3eH53UlENaYa1lmnCBHusZb1kxBEFd2/c7lDsGpw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6dc11d9859d6a18ab0c5e5829a5b8e4810658de3",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-25.11", "ref": "release-23.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-2211": { "nixpkgs_2": {
"locked": { "locked": {
"narHash": "sha256-yqLXI+viN5+Vx5YpG9gNapKL3/+P6Pkprc36xNdyqSU=", "lastModified": 1698318101,
"type": "tarball", "narHash": "sha256-gUihHt3yPD7bVqg+k/UVHgngyaJ3DMEBchbymBMvK1E=",
"url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz" "owner": "nixos",
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
}
},
"nixpkgs-darwin": {
"locked": {
"lastModified": 1764806471,
"narHash": "sha256-NsPsz003eWD8wp8vj5BnQzPoDyeQKRUfS2dvan2Y30M=",
"owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6707b1809330d0f912f5813963bb29f6f194ee81", "rev": "63678e9f3d3afecfeafa0acead6239cdb447574c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "nixos",
"ref": "nixpkgs-25.11-darwin",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1764667669,
"narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "418468ac9527e799809c900eda37cbff999199b6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable", "ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": {
"locked": {
"lastModified": 1717144377,
"narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "805a384895c696f802a9bf5bf4720f37385df547",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"extra-config": "extra-config",
"home-manager": "home-manager", "home-manager": "home-manager",
"matrix-synapse-next": "matrix-synapse-next", "matrix-synapse-next": "matrix-synapse-next",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nix-minecraft": "nix-minecraft", "nix-minecraft": "nix-minecraft",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_3",
"nixpkgs-2211": "nixpkgs-2211", "sops-nix": "sops-nix",
"nixpkgs-darwin": "nixpkgs-darwin", "unstable": "unstable",
"nixpkgs-unstable": "nixpkgs-unstable", "voyager-addons": "voyager-addons"
"sops-nix": "sops-nix"
} }
}, },
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ],
"nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1764483358, "lastModified": 1710644594,
"narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=", "narHash": "sha256-RquCuzxfy4Nr8DPbdp3D/AsbYep21JgQzG8aMH9jJ4A=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "5aca6ff67264321d47856a2ed183729271107c9c", "rev": "83b68a0e8c94b72cdd0a6e547a14ca7eb1c03616",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -240,6 +224,37 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"unstable": {
"locked": {
"lastModified": 1710631334,
"narHash": "sha256-rL5LSYd85kplL5othxK5lmAtjyMOBg390sGBTb3LRMM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c75037bbf9093a2acb617804ee46320d6d1fea5a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"voyager-addons": {
"locked": {
"lastModified": 1717176924,
"narHash": "sha256-pYq/v0RNwHshSZf2OeH3P6Aa4/zHGDAJq7Z2Ah9i700=",
"ref": "refs/heads/main",
"rev": "15f32cc6b828c56cb6a954de0096b81f291100d9",
"revCount": 8,
"type": "git",
"url": "file:///home/felixalb/voyager-addons"
},
"original": {
"type": "git",
"url": "file:///home/felixalb/voyager-addons"
}
} }
}, },
"root": "root", "root": "root",

147
flake.nix
View File

@@ -2,24 +2,20 @@
description = "Felixalb System flake"; description = "Felixalb System flake";
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; # Remember to update ./common/auto-upgrade.nix nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-25.11-darwin"; unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs-2211.url = "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"; # old nixpgks for e.g. remmina
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.11"; nix-darwin.url = "github:lnl7/nix-darwin/master";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs-darwin"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager/release-25.11"; home-manager.url = "github:nix-community/home-manager/release-24.05";
home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
matrix-synapse-next.url = "github:dali99/nixos-matrix-modules"; # TODO: Lock to release matrix-synapse-next.url = "github:dali99/nixos-matrix-modules";
matrix-synapse-next.inputs.nixpkgs.follows = "nixpkgs";
nix-minecraft.url = "github:Infinidoge/nix-minecraft"; nix-minecraft.url = "github:Infinidoge/nix-minecraft";
nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
extra-config.url = "git+file:///home/felixalb/nix-extra-config"; # voyager-addons.url = "git+ssh://git@git.feal.no:2222/felixalb/voyager-addons.git";
voyager-addons.url = "git+file:///home/felixalb/voyager-addons";
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs"; sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -32,97 +28,118 @@
, nix-minecraft , nix-minecraft
, nix-darwin , nix-darwin
, nixpkgs , nixpkgs
, nixpkgs-2211
, nixpkgs-darwin
, nixpkgs-unstable
, sops-nix , sops-nix
, extra-config , unstable
, voyager-addons
, ... }@inputs: , ... }@inputs:
let let
pkgs-overlay = final: prev: { overlay-unstable = final: prev: {
unstable = import nixpkgs-unstable { unstable = unstable.legacyPackages.${prev.system};
system = prev.system;
config.allowUnfree = true;
};
nixpkgs-2211 = import nixpkgs-2211 {
system = prev.system;
config.allowUnfree = true;
};
pwndbg-gdb-alias = prev.callPackage ./common/pwndbg-gdb-alias.nix { };
securecrt = prev.callPackage ./common/securecrt.nix { };
}; };
in in
{ {
nixosConfigurations = let nixosConfigurations = {
normalSys = name: hostConfig: nixpkgs.lib.nixosSystem { voyager = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; # TODO - Handle system = "x86_64-linux";
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
}; };
modules = [ modules = [
({ config, pkgs, ... }: { # Overlays-module makes "pkgs.unstable" available in configuration.nix
# Make "pkgs.unstable" etc. available ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
nixpkgs.overlays = [ pkgs-overlay ] ++ hostConfig.overlays or [ ];
})
./hosts/${name}/configuration.nix ./hosts/voyager/configuration.nix
voyager-addons.nixosModules.default
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager { home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.users = { home-manager.users."felixalb" = import ./hosts/voyager/home.nix;
"felixalb" = import ./hosts/${name}/home.nix;
} // hostConfig.home-manager-users or { };
} }
] ++ hostConfig.modules or [ ];
};
in {
# Media / storage server
challenger = normalSys "challenger" {
modules = [
extra-config.nixosModules.default
]; ];
}; };
defiant = nixpkgs.lib.nixosSystem {
# General application server system = "x86_64-linux";
defiant = normalSys "defiant" { specialArgs = {
inherit inputs;
};
modules = [ modules = [
./common/domeneshop-dyndns.nix # Overlays-module makes "pkgs.unstable" available in configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
./hosts/defiant/configuration.nix
sops-nix.nixosModules.sops
matrix-synapse-next.nixosModules.default matrix-synapse-next.nixosModules.default
home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users."felixalb" = import ./hosts/defiant/home.nix;
}
]; ];
}; };
edison = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
modules = [
# Overlays-module makes "pkgs.unstable" available in configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
# Work laptop ./hosts/edison/configuration.nix
fa-t14-2025 = normalSys "fa-t14-2025" { }; sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users."felixalb" = import ./hosts/edison/home.nix;
}
];
};
burnham = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
modules = [
# Overlays-module makes "pkgs.unstable" available in configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
# Web host ./hosts/burnham/configuration.nix
leonard = normalSys "leonard" { }; sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager {
# General application server home-manager.useGlobalPkgs = true;
morn = normalSys "morn" { }; home-manager.useUserPackages = true;
home-manager.users."felixalb" = import ./hosts/burnham/home.nix;
# Home desktop }
sisko = normalSys "sisko" { }; ];
};
redshirt = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
modules = [
./hosts/redshirt/configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
sops-nix.nixosModules.sops
];
};
}; };
# Daily driver macbook
darwinConfigurations.worf = nix-darwin.lib.darwinSystem { darwinConfigurations.worf = nix-darwin.lib.darwinSystem {
system = "aarch64-darwin"; system = "aarch64-darwin";
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
}; };
modules = [ modules = [
({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; })
./hosts/worf/configuration.nix ./hosts/worf/configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
home-manager.darwinModules.home-manager { home-manager.darwinModules.home-manager {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.users."felixalb" = import ./hosts/worf/home.nix; home-manager.users."felixalb" = import ./hosts/worf/home.nix;
} }
# sops-nix.nixosModules.sops
]; ];
}; };

59
home/alacritty.nix
View File

@@ -14,12 +14,11 @@
}; };
dynamic_padding = true; dynamic_padding = true;
dynamic_title = true;
decorations = "none"; # full/none/transparent/buttonless decorations = "none"; # full/none/transparent/buttonless
# Transparency: # Transparency:
opacity = lib.mkDefault 0.95; # opacity = 0.95;
}; };
scrolling = { scrolling = {
@@ -47,37 +46,10 @@
size = 14; size = 14;
}; };
colors = {
draw_bold_text_with_bright_colors = true; draw_bold_text_with_bright_colors = true;
# # gruvbox_material_medium_dark colors = {
# primary = { # # Tomorrow Night Bright
# background = "0x282828";
# foreground = "0xd4be98";
# };
# normal = {
# black = "0x3c3836";
# red = "0xea6962";
# green = "0xa9b665";
# yellow = "0xd8a657";
# blue = "0x7daea3";
# magenta = "0xd3869b";
# cyan = "0x89b482";
# white = "0xd4be98";
# };
# bright = {
# black = "0x3c3836";
# red = "0xea6962";
# green = "0xa9b665";
# yellow = "0xd8a657";
# blue = "0x7daea3";
# magenta = "0xd3869b";
# cyan = "0x89b482";
# white = "0xd4be98";
# };
# # # Tomorrow Night Bright
# primary = { # primary = {
# background = "0x141414"; # background = "0x141414";
# foreground = "0xeaeaea"; # foreground = "0xeaeaea";
@@ -110,7 +82,6 @@
# white = "0xffffff"; # white = "0xffffff";
# }; # };
# Nord: # Nord:
primary = { primary = {
background = "0x2e3440"; background = "0x2e3440";
@@ -179,10 +150,10 @@
# indexed_colors: [] # indexed_colors: []
}; };
bell = { visual_bell = {
animation = "Ease"; animation = "EaseOutExpo";
color = "0xffffff"; color = "0xffffff";
duration = 100; duration = 200;
}; };
# Key bindings # Key bindings
@@ -337,19 +308,29 @@
# - { key: Delete, chars: "\x1b[3~" } # - { key: Delete, chars: "\x1b[3~" }
mouse = {
double_click = { threshold = 300; };
triple_click = { threshold = 300; };
hide_when_typing = false;
};
selection = { selection = {
semantic_escape_chars = ",`|:\"' ()[]{}<>"; semantic_escape_chars = ",`|:\"' ()[]{}<>";
save_to_clipboard = false; save_to_clipboard = false;
}; };
mouse_bindings = [
{ mouse = "Middle"; action = "PasteSelection"; }
];
cursor = { cursor = {
style = { style = "Block";
shape = "Block"; blinking = true;
blinking = "on";
};
unfocused_hollow = true; unfocused_hollow = true;
}; };
dynamic_title = true;
}; };
}; };
} }

43
home/amalieem/default.nix
View File

@@ -1,43 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [
./../alacritty.nix
];
home = {
packages = with pkgs; [
papers
kitty
pavucontrol
# Window Manager Extras
bibata-cursors
hyprcursor
hypridle
hyprlock
hyprpaper
hyprshot
nautilus
networkmanager
swaynotificationcenter
waybar
wl-clipboard
];
sessionVariables = {
EDITOR = "nvim";
VISUAL = "nvim";
};
};
programs = {
alacritty = {
enable = true;
settings.window.opacity = 0.92;
};
firefox.enable = true;
wofi.enable = true;
};
home.stateVersion = "24.11";
}

37
home/base.nix
View File

@@ -1,38 +1,25 @@
{ pkgs, lib, ... }: { pkgs, ... }:
{ {
imports = [ imports = [
./neovim.nix ./neovim.nix
./zsh.nix ./zsh.nix
]; ];
home = { home.packages = with pkgs; [
packages = with pkgs; [
bat
bottom bottom
# ncdu unstable.ncdu
neofetch neofetch
pwgen
sshfs
sshuttle
]; ];
sessionVariables = {
EDITOR = "nvim";
VISUAL = "nvim";
};
};
programs.nix-index = { programs.nix-index = {
enable = true; enable = true;
enableZshIntegration = true; enableZshIntegration = true;
}; };
programs.fzf.enable = true;
programs.git = { programs.git = {
enable = true; enable = true;
settings = { extraConfig = {
pull.rebase = true; pull.rebase = true;
push.autoSetupRemote = true; push.autoSetupRemote = true;
color.ui = "auto"; color.ui = "auto";
@@ -41,10 +28,7 @@
user = { user = {
name = "Felix Albrigtsen"; name = "Felix Albrigtsen";
email = lib.mkDefault "felix@albrigtsen.it"; email = "felix@albrigtsen.it";
};
safe = {
directory = "/config";
}; };
}; };
ignores = [ ignores = [
@@ -55,15 +39,4 @@
]; ];
}; };
programs.tmux = {
enable = true;
sensibleOnTop = true;
baseIndex = 1;
clock24 = true;
keyMode = "vi";
mouse = true;
terminal = "screen-256color";
};
} }

20
home/neovim.nix
View File

@@ -21,6 +21,7 @@ in {
telescope-nvim telescope-nvim
nvim-lspconfig nvim-lspconfig
copilot-vim
nvim-treesitter nvim-treesitter
coc-css coc-css
@@ -28,9 +29,9 @@ in {
coc-html coc-html
coc-json coc-json
coc-nvim coc-nvim
coc-pyright
vim-nix vim-nix
vim-puppet
]; ];
withNodeJs = true; withNodeJs = true;
@@ -50,7 +51,7 @@ in {
" Integrate status with lightline " Integrate status with lightline
let g:lightline = { let g:lightline = {
\ 'active': { \ 'active': {
\ 'left': [[ 'mode', 'paste', 'filename', 'readonly', 'coc_info', 'coc_hints', 'coc_errors', 'coc_warnings', 'coc_ok' ], [ 'coc_status' ]] \ 'left': [[ 'coc_info', 'coc_hints', 'coc_errors', 'coc_warnings', 'coc_ok' ], [ 'coc_status' ]]
\ } \ }
\ } \ }
@@ -97,15 +98,10 @@ in {
" Nerdtree-settings " Nerdtree-settings
" Toggle nerdtree on Ctrl+t " Toggle nerdtree on Ctrl+t
nmap <silent> <C-t> :NERDTreeToggle<CR> nmap <silent> <C-t> :NERDTreeToggle<CR>
" Close vim is Nerdtree is the only buffer left
autocmd bufenter * if (winnr("$") == 1 && exists("b:NERDTree") && b:NERDTree.isTabTree()) | q | endif
if empty($AERC_ACCOUNT) && empty($MOZ_APP_LAUNCHER)
autocmd VimEnter * NERDTree " Autostart nerdtree on vim startup autocmd VimEnter * NERDTree " Autostart nerdtree on vim startup
autocmd VimEnter * wincmd p " Unselect nerdtree window autocmd VimEnter * wincmd p " Unselect nerdtree window
endif " Close vim is Nerdtree is the only buffer left
autocmd bufenter * if (winnr("$") == 1 && exists("b:NERDTree") && b:NERDTree.isTabTree()) | q | endif
autocmd Filetype go setlocal expandtab tabstop=4 shiftwidth=4 softtabstop=4
" List and switch buffers on Ctrl+k " List and switch buffers on Ctrl+k
" nnoremap <C-k> :set nomore <Bar> :ls <Bar> :set more <CR>:b<Space> " nnoremap <C-k> :set nomore <Bar> :ls <Bar> :set more <CR>:b<Space>
@@ -120,18 +116,12 @@ in {
nnoremap <C-s> <cmd>Telescope find_files<cr> nnoremap <C-s> <cmd>Telescope find_files<cr>
nnoremap <C-g> <cmd>Telescope live_grep<cr> nnoremap <C-g> <cmd>Telescope live_grep<cr>
" Don't darken the background
autocmd VimEnter * highlight normal ctermbg=NONE guibg=NONE
" Show trailing whitespace " Show trailing whitespace
highlight ExtraWhitespace ctermbg=red guibg=red highlight ExtraWhitespace ctermbg=red guibg=red
match ExtraWhitespace /\s\+$/ match ExtraWhitespace /\s\+$/
" Disable search highlights " Disable search highlights
map <Leader><Space> :noh<CR> map <Leader><Space> :noh<CR>
" Start with Coc disabled
" autocmd VimEnter * CocDisable
''; '';
}; };

32
home/zsh.nix
View File

@@ -2,7 +2,6 @@
programs = { programs = {
zsh = { zsh = {
enable = true; enable = true;
history.extended = true;
prezto = { prezto = {
enable = true; enable = true;
@@ -22,7 +21,6 @@
"terminal" "terminal"
"editor" "editor"
"history" "history"
"history-substring-search"
# "directory" # "directory"
"spectrum" "spectrum"
# "utility" # "utility"
@@ -30,39 +28,33 @@
"git" "git"
"autosuggestions" "autosuggestions"
"syntax-highlighting" "syntax-highlighting"
"history-substring-search"
"prompt" "prompt"
]; ];
}; };
initContent = '' initExtra = ''
# Autocomplete ../ # Autocomplete ../
zstyle ':completion:*' special-dirs true zstyle ':completion:*' special-dirs true
export PATH="$HOME/.config/emacs/bin:$HOME/.cargo/bin:$PATH" export PATH="$HOME/.config/emacs/bin:$PATH"
unalias "gs" unalias "gs"
if [ -f ~/.config/zsh-extras ]; then
source ~/.config/zsh-extras
fi
''; '';
shellAliases = { shellAliases = {
c = "z";
em = "emacsclient -c";
emnw = "emacsclient -nw";
grep = "grep --color=auto";
l = "exa -l"; l = "exa -l";
ls = "ls --color=auto"; c = "z";
nd = "nix develop --command zsh"; tree = "exa --tree --icons";
s = "nix-shell --run zsh"; s = "nix-shell --run zsh";
sp = "nix-shell --run zsh -p"; sp = "nix-shell --run zsh -p";
spu = "nix-shell -I nixpkgs=channel:nixos-unstable --run zsh -p"; spu = "nix-shell -I nixpkgs=channel:nixos-unstable --run zsh -p";
tree = "exa --tree --icons"; nd = "nix develop --command zsh";
em = "emacsclient -c";
"git clone git clone" = "git clone"; emnw = "emacsclient -nw";
gcm = "git commit -m";
gpl = "git pull";
gps = "git push";
gst = "git status -sb"; gst = "git status -sb";
gcm = "git commit -m";
gps = "git push";
gpl = "git pull";
"git clone git clone" = "git clone";
}; };
}; };

39
hosts/burnham/configuration.nix Normal file
View File

@@ -0,0 +1,39 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
./hardware-configuration.nix
# Infrastructure
./services/wireguard.nix
# Other
./services/thelounge.nix
./services/nginx.nix
];
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking = {
hostName = "burnham";
defaultGateway = "192.168.11.1";
interfaces.ens18.ipv4 = {
addresses = [
{ address = "192.168.11.109"; prefixLength = 24; }
];
};
hostId = "8e24f235";
};
# sops.defaultSopsFile = ../../secrets/burnham/burnham.yaml;
environment.variables = { EDITOR = "vim"; };
system.stateVersion = "23.11";
}

17
hosts/morn/hardware-configuration.nix → hosts/burnham/hardware-configuration.nix
View File

@@ -1,6 +1,3 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
@@ -14,17 +11,13 @@
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/93307186-cbc3-4748-859f-0013a1e36def"; { device = "/dev/disk/by-uuid/31ff6d37-52d6-43c3-a214-5d38a6c38b0e";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = swapDevices =
{ device = "/dev/disk/by-uuid/FFCD-993A"; [ { device = "/dev/disk/by-uuid/cce59ee7-7c83-4165-a9b0-f950cd2e3273"; }
fsType = "vfat"; ];
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -33,5 +26,5 @@
#networking.useDHCP = lib.mkDefault true; #networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true; # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

2
hosts/challenger/home.nix → hosts/burnham/home.nix
View File

@@ -8,5 +8,5 @@
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config"; zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
}; };
home.stateVersion = "24.05"; home.stateVersion = "23.05";
} }

0
hosts/leonard/services/nginx.nix → hosts/burnham/services/nginx.nix
View File

0
hosts/morn/services/thelounge.nix → hosts/burnham/services/thelounge.nix
View File

56
hosts/burnham/services/wireguard.nix Normal file
View File

@@ -0,0 +1,56 @@
{ config, pkgs, lib, ... }:
let
cfg = config.networking.wireguard.interfaces."wg0";
in {
networking = {
nat = {
enable = true;
externalInterface = "ens18";
internalInterfaces = [ "wg0" ];
};
firewall.allowedUDPPorts = [ cfg.listenPort ];
wireguard.interfaces."wg0" = {
ips = [ "10.100.0.2/24" ];
listenPort = 51820;
privateKeyFile = "/etc/wireguard/burnham.private";
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE
'';
peers = [
{ # Defiant
publicKey = "8/711GhmN9+NcduHF4JPkfoZPE0qsDLuwhABcPyjNxI=";
persistentKeepalive = 120;
allowedIPs = [
"10.100.0.1/32"
"192.168.10.0/24"
];
endpoint = "site3.feal.no:51902";
}
{ # Worf
publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
allowedIPs = [
"10.100.0.4/32"
];
}
{ # Phone
publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
allowedIPs = [
"10.100.0.5/32"
];
}
{ # Riker
publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
allowedIPs = [
"10.100.0.6/32"
];
}
];
};
};
}

37
hosts/challenger/amalieem.nix
View File

@@ -1,37 +0,0 @@
{ config, pkgs, lib, ... }:
let
cmdChownManga = pkgs.writeScriptBin "chownManga" ''
#!${pkgs.stdenv.shell}
chown -R amalieem:komga /tank/media/komga/Amalie
chmod -R 750 /tank/media/komga/Amalie
'';
in {
users.users."amalieem" = {
isNormalUser = true;
home = "/home/amalieem";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7e+BAoXIFmTeeBYAVImQAcyx6SCoYCErA7h16OGL70 amalieem@wentworth"
];
packages = with pkgs; [
cmdChownManga
mangal
rsync
];
};
security.sudo = {
enable = true;
extraRules = [{
commands = [
{
command = "${lib.getExe cmdChownManga}";
options = [ "NOPASSWD" ];
}
];
users = [ "amalieem" ];
}];
};
}

84
hosts/challenger/backup.nix
View File

@@ -1,84 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.restic.backups = let
localJob = name: paths: {
inherit paths;
repository = "/mnt/feal-syn1/backup/challenger/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
"--keep-yearly 10"
];
};
cloudJob = name: paths: {
inherit paths;
# "rsyncnet" connection details specified in /root/.ssh/config
repository = "sftp://rsyncnet/restic/challenger/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
# rsync.net keeps daily snapshots
"--keep-weekly 4"
"--keep-monthly 36"
];
};
in {
# Calibre metadata and config
calibre = localJob "calibre" [
"/var/lib/calibre-web"
"/var/lib/calibre-server"
];
# Other system backups (NB: Large!)
hostBackups = localJob "hostBackups" [
"/tank/backup"
] // {
pruneOpts = [ "--keep-monthly 12" ];
};
media = localJob "media" [
"/tank/media/books"
"/tank/media/komga"
"/tank/media/music"
];
media-remote = cloudJob "media" [
"/tank/media/books"
"/tank/media/komga"
"/tank/media/music"
] // {
pruneOpts = [ "--keep-monthly 12" ];
};
# Nextcloud config and data
nextcloud = localJob "nextcloud" [ "/tank/nextcloud" ];
nextcloud-remote = cloudJob "nextcloud" [ "/tank/nextcloud" ];
# Postgresql databases
postgres = (localJob "postgres" [ "/var/backup/postgres" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
postgres-remote = (cloudJob "postgres" [ "/var/backup/postgres" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
# Transmission metadata/config
transmission = localJob "transmission" [ "/var/lib/transmission" ];
# TODO: timemachine
};
sops.secrets."restic/calibre" = { };
sops.secrets."restic/hostBackups" = { };
sops.secrets."restic/media" = { };
sops.secrets."restic/nextcloud" = { };
sops.secrets."restic/postgres" = { };
sops.secrets."restic/transmission" = { };
environment.systemPackages = with pkgs; [
restic
];
}

65
hosts/challenger/configuration.nix
View File

@@ -1,65 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
./hardware-configuration.nix
../../base.nix
../../common/metrics-exporters.nix
./amalieem.nix
./backup.nix
# ./exports.nix
./filesystems.nix
# ./services/archivebox.nix
./services/audiobookshelf.nix
./services/calibre.nix
./services/jellyfin.nix
./services/komga.nix
./services/nextcloud.nix
./services/nginx.nix
./services/postgres.nix
./services/timemachine.nix
];
networking = {
hostName = "challenger";
bridges.br0.interfaces = [ "ens18" ];
interfaces.br0.useDHCP = false;
interfaces.br0.ipv4.addresses = [
{ address = "192.168.10.161"; prefixLength = 24; }
];
hostId = "828ab735";
defaultGateway = "192.168.10.1";
};
sops.defaultSopsFile = ../../secrets/challenger/challenger.yaml;
environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
zfs
];
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
security.polkit.enable = true; # Required for nextcloud
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
];
hardware.nvidia = {
modesetting.enable = true;
open = false;
};
hardware.graphics.enable = true;
services.xserver.videoDrivers = ["nvidia"];
system.stateVersion = "24.05";
}

21
hosts/challenger/exports.nix
View File

@@ -1,21 +0,0 @@
{ config, pkgs, lib, ... }:
{
fileSystems = {
"/export/riker-backup" = {
device = "/tank/backup/riker";
options = [ "bind" ];
};
};
# Enable nfs4 only
# services.nfs.server = {
# enable = true;
# exports = ''
# /export 192.168.10.67(rw,fsid=0,no_subtree_check)
# /export/riker-backup 192.168.10.67(rw,nohide,no_subtree_check,no_root_squash)
# '';
# };
# networking.firewall.allowedTCPPorts = [ 111 2049 20048 ];
# networking.firewall.allowedUDPPorts = [ 111 20048];
}

48
hosts/challenger/filesystems.nix
View File

@@ -1,48 +0,0 @@
{ config, pkgs, lib, ... }:
{
# Boot drives are defined in ./hardware-configuration.nix
environment.systemPackages = with pkgs; [ cifs-utils ];
# Local zfs
boot = {
zfs = {
extraPools = [ "tank" ];
requestEncryptionCredentials = false;
};
supportedFilesystems = [ "zfs" ];
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed *-*-8..14 00:00:00";
};
fileSystems = {
"/mnt/feal-syn1/backup" = {
# device = "feal-syn1.home.feal.no:/volume2/backup";
device = "192.168.10.162:/volume2/backup";
fsType = "nfs";
options = [
"defaults"
"noatime"
"rw"
"nfsvers=3"
"x-systemd.automount"
"noauto"
];
};
"/mnt/feal-syn2/backup" = {
# device = "feal-syn1.home.feal.no:/volume2/backup";
device = "192.168.11.163:/volume1/challenger";
fsType = "nfs";
options = [
"defaults"
"noatime"
"rw"
"nfsvers=3"
"x-systemd.automount"
"noauto"
];
};
};
}

35
hosts/challenger/services/archivebox.nix
View File

@@ -1,35 +0,0 @@
{ config, lib, ... }:
let
host = "127.0.1.2";
port = "5009";
uid = 911;
gid = 911;
in {
users.users.archivebox = {
inherit uid;
group = "archivebox";
isSystemUser = true;
useDefaultShell = true;
description = "ArchiveBox web archiving tool";
};
users.groups.archivebox = {
inherit gid;
};
# ArchiveBox - Open source self-hosted web archiving.
virtualisation.oci-containers.containers.archivebox = {
image = "archivebox/archivebox:0.8.5rc50";
ports = [ "${host}:${port}:8000" ];
volumes = [
"/tank/archivebox:/data"
];
};
services.nginx.virtualHosts."archivebox.home.feal.no" = {
locations."/" = {
proxyPass = "http://${host}:${port}";
};
};
}

57
hosts/challenger/services/audiobookshelf.nix
View File

@@ -1,57 +0,0 @@
{ config, lib, pkgs, ... }:
let
domain = "audiobooks.home.feal.no";
host = "127.0.1.2";
port = 5016;
in {
fileSystems = {
"/var/lib/audiobookshelf" = {
device = "/tank/media/audiobookshelf/config";
options = [ "bind" ];
};
};
services.audiobookshelf = {
enable = true;
dataDir = "audiobookshelf";
inherit host port;
};
systemd.services.audiobookshelf = {
requires = [ "var-lib-audiobookshelf.mount" ];
serviceConfig = {
# Better safe than sorry :)
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [
"/var/lib/audiobookshelf"
"/tank/media/audiobookshelf"
];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
SystemCallArchitectures = "native";
};
};
services.nginx.virtualHosts.${domain} = {
locations."/" = {
proxyPass = "http://${host}:${toString port}";
proxyWebsockets = true;
};
};
}

154
hosts/challenger/services/nextcloud.nix
View File

@@ -1,154 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.nextcloud;
hostName = "cloud.feal.no";
in {
services.nextcloud = {
enable = true;
package = pkgs.nextcloud32;
inherit hostName;
home = "/tank/nextcloud";
https = true;
webfinger = true;
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
adminuser = "ncadmin";
adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
};
settings = {
default_phone_region = "NO";
log_type = "file";
overwriteprotocol = "https";
trusted_proxies = [ "192.168.10.175" ]; # defiant
# Docs: https://github.com/pulsejet/nextcloud-oidc-login
oidc_login_auto_redirect = true;
oidc_login_button_text = "Log in with KeyCloak";
oidc_login_client_id = "nextcloud";
oidc_login_client_secret = "dont_put_secrets_here_use_secretFile";
oidc_login_code_challenge_method = "S256";
oidc_login_end_session_redirect' = true;
oidc_login_logout_url = "https://cloud.feal.no/apps/oidc_login/oidc";
oidc_login_provider_url = "https://iam.feal.no/realms/feal.no";
oidc_login_redir_fallback = true;
oidc_login_attributes = {
id = "preferred_username";
mail = "email";
name = "name";
login_filter = "nextcloud-roles";
};
oidc_login_filter_allowed_values = [ "nextcloud-user" ];
oidc_login_disable_registration = false;
"memories.exiftool" = pkgs.writeShellScript "exiftool-perl" ''
${lib.getExe pkgs.perl} ${cfg.home}/store-apps/memories/bin-ext/exiftool/exiftool "$@"
'';
"memories.exiftool_no_local" = false;
"memories.vod.disable" = false;
"memories.vod.ffmpeg" = "${lib.getExe pkgs.ffmpeg-headless}";
"memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
preview_ffmpeg_path = "${pkgs.ffmpeg-headless}/bin/ffmpeg";
};
secretFile = config.sops.secrets."nextcloud/secretsjson".path;
phpOptions = {
"opcache.interned_strings_buffer" = "16";
"upload_max_filesize" = lib.mkForce "8G";
"post_max_size" = lib.mkForce "8G";
"memory_limit" = lib.mkForce "8G";
};
poolSettings = {
"pm" = "ondemand";
"pm.max_children" = 32;
"pm.process_idle_timeout" = "10s";
"pm.max_requests" = 500;
};
};
environment.systemPackages = [
cfg.occ # "occ CMD" in the docs -> "sudo -u nextcloud nextcloud-occ CMD"
pkgs.nodejs_20 # For Recognize; Put /run/current-system/sw/bin/node in the "node_binary" field in the web UI -> Memories
];
sops.secrets."nextcloud/adminpass" = {
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};
sops.secrets."nextcloud/secretsjson" = {
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};
services.postgresql = {
ensureDatabases = [ "nextcloud" ];
ensureUsers = [ {
name = "nextcloud";
ensureDBOwnership = true;
} ];
};
systemd.services.nextcloud-cron = {
path = with pkgs; [
exiftool
ffmpeg-headless
];
};
systemd.services."nextcloud-setup" = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
systemd.services."phpfpm-nextcloud" = {
requires = [ "tank-nextcloud.mount" ];
path = with pkgs; [
# perl
# perlPackages.ImageExifTool
exiftool
ffmpeg-headless
];
serviceConfig = {
PrivateDevices = lib.mkForce false;
WorkingDirectory = "/tank/nextcloud";
NoNewPrivileges = true;
PrivateMounts = true;
PrivateTmp = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ];
ReadOnlyPaths = [ "/run/secrets" "/nix/store" ];
InaccessiblePaths = [ "/tank/media" "/tank/backup" ];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
};
};
# Notes:
# - Install Memories and Recognize from the app store
# - They might need to be forced on with "nextcloud-occ app:enable memories", etc.
# - Run "nextcloud-occ maintenance:repair" to fix broken paths
# - Download ai models and maps with the commands given in the ui
# - libtensorflow doesn't work properly through node, but recognize still works(?)
}

92
hosts/defiant/backup.nix
View File

@@ -1,50 +1,62 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
services.restic.backups = let services.borgbackup.jobs =
localJob = name: paths: { let
inherit paths; borgJob = name: {
repository = "/mnt/feal-syn1/backup/defiant/${name}"; environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1";
passwordFile = config.sops.secrets."restic/${name}".path; environment.BORG_REMOTE_PATH = "/usr/local/bin/borg";
initialize = true; repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/defiant/${name}";
pruneOpts = [ compression = "auto,zstd";
"--keep-daily 3"
"--keep-weekly 4"
"--keep-monthly 3"
];
};
cloudJob = name: paths: {
inherit paths;
# "rsyncnet" connection details specified in /root/.ssh/config
repository = "sftp://rsyncnet/restic/defiant/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
# rsync.net keeps daily snapshots
"--keep-weekly 4"
"--keep-monthly 36"
];
}; };
in { in {
postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // { postgresDaily = borgJob "postgres::daily" // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup paths = "/data/backup/postgresql";
startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup
extraInitArgs = "--storage-quota 10G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
}; };
postgres-remote = (cloudJob "postgres" [ "/tank/backup/postgresql" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
}; };
gitea = (localJob "gitea" [ "/tank/services/gitea" ]); postgresWeekly = borgJob "postgres::weekly" // {
gitea-remote = (cloudJob "gitea" [ "/tank/services/gitea" ]); paths = "/data/backup/postgresql";
startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup
matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]); extraInitArgs = "--storage-quota 10G";
matrix-synapse-remote = (cloudJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]); encryption = {
mode = "repokey-blake2";
vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]); passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
vaultwarden-remote = (cloudJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]); };
}; };
# TODO: home-assistant, pihole gitea = borgJob "gitea::weekly" // {
sops.secrets."restic/postgres" = { }; paths = "/tank/services/gitea";
sops.secrets."restic/gitea" = { }; startAt = "Mon *-*-* 05:15:00";
sops.secrets."restic/matrix-synapse" = { }; extraInitArgs = "--storage-quota 20G";
sops.secrets."restic/vaultwarden" = { }; encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/gitea".path}";
};
};
minecraft = borgJob "minecraft::weekly" // {
paths = "/var/lib/minecraft-wack";
startAt = "weekly";
extraInitArgs = "--storage-quota 20G";
encryption.mode = "none";
preHook = ''
${pkgs.mcrcon}/bin/mcrcon -p wack "say Starting Backup" "save-off" "save-all"
'';
postHook = ''
${pkgs.mcrcon}/bin/mcrcon -p wack "save-all" "say Completed Backup" "save-on" "save-all"
'';
};
};
# TODO: Matrix (keys,media,db), home-assistant, pihole, vaultwarden
sops.secrets."borg/postgres" = { };
sops.secrets."borg/gitea" = { };
} }

20
hosts/defiant/configuration.nix
View File

@@ -5,29 +5,25 @@
[ [
../../base.nix ../../base.nix
../../common/metrics-exporters.nix ../../common/metrics-exporters.nix
./filesystems.nix
./hardware-configuration.nix ./hardware-configuration.nix
# Infrastructure # Infrastructure
./backup.nix ./backup.nix
./libvirt.nix ./libvirt.nix
./services/dyndns.nix
./services/nginx.nix ./services/nginx.nix
./services/pihole.nix ./services/pihole.nix
./services/postgresql.nix ./services/postgresql.nix
./services/wireguard.nix ./services/wireguard.nix
# Services # Services
./services/flame.nix
./services/gitea.nix ./services/gitea.nix
./services/hedgedoc.nix ./services/hedgedoc.nix
./services/home-assistant.nix ./services/home-assistant.nix
./services/keycloak.nix
./services/matrix ./services/matrix
./services/microbin.nix
# ./services/minecraft/home.nix
./services/monitoring ./services/monitoring
# ./services/rtl-tcp.nix ./services/microbin.nix
# ./services/searx.nix #./services/minecraft.nix
./services/vaultwarden.nix ./services/vaultwarden.nix
]; ];
@@ -45,6 +41,16 @@
sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml; sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml;
environment.variables = { EDITOR = "vim"; }; environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
zfs
];
boot = {
zfs.extraPools = [ "tank" ];
supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
};
services.prometheus.exporters.zfs.enable = true;
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker"; virtualisation.oci-containers.backend = "docker";

30
hosts/defiant/filesystems.nix
View File

@@ -1,30 +0,0 @@
{ config, pkgs, lib, ... }:
{
# Boot drives are defined in ./hardware-configuration.nix
boot = {
zfs.extraPools = [ "tank" ];
supportedFilesystems = [ "zfs" ];
};
services.prometheus.exporters.zfs.enable = true;
environment.systemPackages = with pkgs; [
cifs-utils
zfs
];
fileSystems = {
"/mnt/feal-syn1/backup" = {
device = "192.168.10.162:/volume2/backup";
fsType = "nfs";
options = [
"defaults"
"noatime"
"rw"
"nfsvers=3"
"x-systemd.automount"
"noauto"
];
};
};
}

11
hosts/defiant/services/dyndns.nix
View File

@@ -1,11 +0,0 @@
{ config, pkgs, lib, ... }:
{
sops.secrets."domeneshop/netrc" = { };
services.domeneshop-dyndns = {
enable = true;
domain = "site3.feal.no";
netrcFile = config.sops.secrets."domeneshop/netrc".path;
};
}

22
hosts/defiant/services/flame.nix Normal file
View File

@@ -0,0 +1,22 @@
{ config, pkgs, lib, ... }:
let
domain = "flame.home.feal.no";
host = "127.0.1.2";
port = "5005";
in {
# Flame - Homelab dashboard/linktree
virtualisation.oci-containers.containers = {
flame = {
image = "pawelmalak/flame";
ports = [ "${host}:${port}:5005" ];
volumes = [
"/var/lib/flame/data:/app/data/"
];
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://${host}:${port}";
};
}

9
hosts/defiant/services/gitea.nix
View File

@@ -36,6 +36,7 @@ in {
OPENID_CONNECT_SCOPES = "email profile openid"; OPENID_CONNECT_SCOPES = "email profile openid";
UPDATE_AVATAR = true; UPDATE_AVATAR = true;
ACCOUNT_LINKING = "auto"; ACCOUNT_LINKING = "auto";
USERNAME = "email";
}; };
log.LEVEL = "Info"; log.LEVEL = "Info";
@@ -44,11 +45,15 @@ in {
ui = { ui = {
THEMES="gitea,arc-green,nord"; THEMES="gitea,arc-green,nord";
#DEFAULT_THEME="nord"; DEFAULT_THEME="nord";
}; };
}; };
# TODO: configure mailer # TODO:
# - Backup
# - services.gitea.dump?
# - ZFS snapshots?
# - configure mailer
}; };
systemd.services.gitea.serviceConfig.WorkingDirectory = lib.mkForce "${cfg.stateDir}/work"; systemd.services.gitea.serviceConfig.WorkingDirectory = lib.mkForce "${cfg.stateDir}/work";

27
hosts/defiant/services/hedgedoc.nix
View File

@@ -4,7 +4,7 @@ let
domain = "md.feal.no"; domain = "md.feal.no";
port = 3300; port = 3300;
host = "127.0.1.2"; host = "127.0.1.2";
authServerUrl = "https://iam.feal.no"; authServerUrl = "https://auth.feal.no";
in { in {
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
sops.secrets."hedgedoc/env" = { sops.secrets."hedgedoc/env" = {
@@ -21,8 +21,9 @@ in {
allowFreeURL = true; allowFreeURL = true;
allowAnonymous = false; allowAnonymous = false;
allowAnonymousEdits = true; allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
# dbURL = "postgres://hedgedoc@localhost/hedgedoc";
db = { db = {
username = "hedgedoc"; username = "hedgedoc";
database = "hedgedoc"; database = "hedgedoc";
@@ -31,23 +32,20 @@ in {
}; };
email = false; email = false;
oauth2 = let oauth2 = {
oidc = "${authServerUrl}/realms/feal.no/protocol/openid-connect"; baseURL = "${authServerUrl}/oauth2";
in { tokenURL = "${authServerUrl}/oauth2/token";
providerName = "Keycloak"; authorizationURL = "${authServerUrl}/ui/oauth2";
authorizationURL = "${oidc}/auth"; userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
baseURL = "${authServerUrl}";
tokenURL = "${oidc}/token";
userProfileURL = "${oidc}/userinfo";
clientID = "hedgedoc"; clientID = "hedgedoc";
clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
scope = "openid email profile"; scope = "openid email profile";
userProfileDisplayNameAttr = "name"; userProfileUsernameAttr = "name";
userProfileEmailAttr = "email"; userProfileEmailAttr = "email";
userProfileUsernameAttr = "preferred_username"; userProfileDisplayNameAttr = "displayname";
rolesClaim = "hedgedoc-roles";
accessRole = "hedgedoc-user"; providerName = "KaniDM";
}; };
}; };
}; };
@@ -55,6 +53,7 @@ in {
systemd.services.hedgedoc = { systemd.services.hedgedoc = {
requires = [ requires = [
"postgresql.service" "postgresql.service"
# "kanidm.service"
]; ];
serviceConfig = let serviceConfig = let
workDir = "/var/lib/hedgedoc"; workDir = "/var/lib/hedgedoc";

3
hosts/defiant/services/home-assistant.nix
View File

@@ -8,10 +8,9 @@ in {
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
homeassistant = { homeassistant = {
image = "ghcr.io/home-assistant/home-assistant:2025.5.3"; image = "ghcr.io/home-assistant/home-assistant:2024.1";
extraOptions = [ extraOptions = [
"--network=host" "--network=host"
"--device=/dev/ttyUSB0" # Sonoff Zigbee 3.0 USB
]; ];
volumes = [ volumes = [
"/tank/services/homeassistant/config:/config" "/tank/services/homeassistant/config:/config"

33
hosts/defiant/services/keycloak.nix
View File

@@ -1,33 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.keycloak.settings;
hostname = "iam.feal.no";
in {
sops.secrets."keycloak/postgres" = { };
services.keycloak = {
enable = true;
database = {
type = "postgresql";
createLocally = true;
username = "keycloak";
passwordFile = config.sops.secrets."keycloak/postgres".path;
};
settings = {
cache = "local";
hostname = "https://${hostname}";
hostname-backchannel-dynamic = false;
http-enabled = true;
http-host = "127.0.1.2";
http-port = 5060;
proxy-headers = "xforwarded";
};
};
# The main reverse proxy is defined in ./nginx.nix
services.nginx.virtualHosts.${hostname} = {
locations."= /".return = "302 ${cfg.hostname}/realms/feal.no/account";
};
}

31
hosts/defiant/services/matrix/synapse.nix
View File

@@ -6,12 +6,6 @@
group = "matrix-synapse"; group = "matrix-synapse";
}; };
sops.secrets."matrix/synapse/oidcsecret" = {
restartUnits = [ "matrix-synapse.service" ];
owner = "matrix-synapse";
group = "matrix-synapse";
};
services.matrix-synapse-next = { services.matrix-synapse-next = {
enable = true; enable = true;
enableNginx = true; enableNginx = true;
@@ -75,34 +69,13 @@
tls_certificate_path = "/etc/ssl-snakeoil/matrix_feal_no.crt"; tls_certificate_path = "/etc/ssl-snakeoil/matrix_feal_no.crt";
tls_private_key_path = "/etc/ssl-snakeoil/matrix_feal_no.key"; tls_private_key_path = "/etc/ssl-snakeoil/matrix_feal_no.key";
enableSlidingSync = true;
oidc_providers = [
{
idp_id = "keycloak";
idp_name = "Keycloak";
issuer = "https://iam.feal.no/realms/feal.no";
client_id = "matrix-synapse";
client_secret_path = config.sops.secrets."matrix/synapse/oidcsecret".path;
user_mapping_provider.config = {
localpart_template = "{{ user.preferred_username }}";
display_name_template = "{{ user.name }}";
};
attribute_requirements = [{
attribute = "matrix-roles";
value = "matrix-user";
}];
backchannel_logout_enabled = true;
enable_registration = false;
}
];
}; };
}; };
services.redis.servers."".enable = true;
services.postgresqlBackup.databases = [ "matrix-synapse" ]; services.postgresqlBackup.databases = [ "matrix-synapse" ];
services.redis.servers."".enable = true;
services.nginx.virtualHosts."matrix.feal.no" = { services.nginx.virtualHosts."matrix.feal.no" = {
listen = [ listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43443; ssl = true; }

0
hosts/defiant/services/minecraft/wack.nix → hosts/defiant/services/minecraft.nix
View File

50
hosts/defiant/services/minecraft/home.nix
View File

@@ -1,50 +0,0 @@
{ config, pkgs, lib, inputs, ... }:
{
imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ];
nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
services.minecraft-servers = {
enable = true;
eula = true;
openFirewall = true;
dataDir = "/var/lib/minecraft-server";
servers.home = {
enable = true;
jvmOpts = "-Xms4G -Xmx4G";
package = pkgs.fabricServers.fabric-1_21_4;
serverProperties = {
motd = "Home <3";
difficulty = "easy";
view-distance = 16;
simulation-distance = 16;
enable-command-block = true;
enable-rcon = true;
online-mode = false;
"rcon.password" = "wack";
};
symlinks = {
mods = pkgs.linkFarmFromDrvs "mods" (builtins.attrValues {
FabricAPI = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/8FAH9fuR/fabric-api-0.114.2%2B1.21.4.jar";
sha256 = "sha256-nL1bcAaMW0tRCpfW0prd3mce14ZNcl7pAUabVXAQfWs=";
};
Lithium = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/zVOQw7YU/lithium-fabric-0.14.6%2Bmc1.21.4.jar";
sha256 = "sha256-iF4hy+3XVJP7Fv6R2dsrYq6Ct0MQJLX4/4Yh5WEJm90=";
};
});
};
};
};
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"minecraft-server"
];
networking.firewall.allowedUDPPorts = [ 24454 ];
}

7019
hosts/defiant/services/monitoring/dashboards/openwrt.json Normal file
View File

File diff suppressed because it is too large Load Diff

6
hosts/defiant/services/monitoring/grafana.nix
View File

@@ -44,6 +44,12 @@ in {
url = "https://grafana.com/api/dashboards/14284/revisions/9/download"; url = "https://grafana.com/api/dashboards/14284/revisions/9/download";
options.path = dashboards/synology-nas-details.json; options.path = dashboards/synology-nas-details.json;
} }
{
name = "OpenWRT";
type = "file";
url = "https://grafana.com/api/dashboards/11147/revisions/1/download";
options.path = dashboards/openwrt.json;
}
]; ];
}; };
}; };

4
hosts/defiant/services/monitoring/loki.nix
View File

@@ -51,6 +51,7 @@ in {
boltdb_shipper = { boltdb_shipper = {
active_index_directory = "${saveDirectory}/boltdb-shipper-index"; active_index_directory = "${saveDirectory}/boltdb-shipper-index";
cache_location = "${saveDirectory}/boltdb-shipper-cache"; cache_location = "${saveDirectory}/boltdb-shipper-cache";
shared_store = "filesystem";
cache_ttl = "24h"; cache_ttl = "24h";
}; };
filesystem = { filesystem = {
@@ -59,13 +60,14 @@ in {
}; };
limits_config = { limits_config = {
allow_structured_metadata = false; enforce_metric_name = false;
reject_old_samples = true; reject_old_samples = true;
reject_old_samples_max_age = "72h"; reject_old_samples_max_age = "72h";
}; };
compactor = { compactor = {
working_directory = "${saveDirectory}/compactor"; working_directory = "${saveDirectory}/compactor";
shared_store = "filesystem";
}; };
}; };
}; };

17
hosts/defiant/services/monitoring/prometheus.nix
View File

@@ -17,16 +17,23 @@ in {
static_configs = [ static_configs = [
{ {
targets = [ targets = [
"challenger.home.feal.no:9100" "voyager.home.feal.no:9100"
"constellation.home.feal.no:9100" "sulu.home.feal.no:9100"
"mccoy.home.feal.no:9100"
"dlink-feal.home.feal.no:9100"
"edison.home.feal.no:9100"
"defiant.home.feal.no:9100" "defiant.home.feal.no:9100"
"leonard.home.feal.no:9100" "scotty.home.feal.no:9100"
"morn.home.feal.no:9100"
"sisko.home.feal.no:9100"
]; ];
} }
]; ];
} }
{
job_name = "openwrt";
static_configs = [
{ targets = ["dlink-feal.home.feal.no:9100"]; }
];
}
{ {
job_name = "snmp"; job_name = "snmp";
static_configs = [{ static_configs = [{

1661
hosts/defiant/services/monitoring/snmp-exporter-conf.yml
View File

File diff suppressed because it is too large Load Diff

20
hosts/defiant/services/monitoring/snmp-exporter.nix
View File

@@ -1,12 +1,20 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
services.prometheus.exporters.snmp = { environment.systemPackages = [
pkgs.prometheus-snmp-exporter
];
systemd.services.prometheus-snmp-exporter = {
enable = true; enable = true;
configurationPath = ./snmp-exporter-conf.yml; description = "Gather data from SNMP devices and expose them as Prometheus metrics";
# snmp.yml is built from unitConfig = {
# https://github.com/prometheus/snmp_exporter/blob/main/snmp.yml Type = "simple";
# and };
# https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_MIB_Guide.pdf serviceConfig = {
ExecStart = "${pkgs.prometheus-snmp-exporter}/bin/snmp_exporter --config.file='/tank/services/metrics/prometheus/snmp.yml'";
# snmp.yml = https://github.com/prometheus/snmp_exporter/blob/main/snmp.yml + https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_MIB_Guide.pdf
};
wantedBy = [ "multi-user.target" ];
}; };
} }

28
hosts/defiant/services/nginx.nix
View File

@@ -1,8 +1,5 @@
{ config, values, ... }: { config, values, ... }:
let {
gitea = config.services.gitea.settings;
keycloak = config.services.keycloak.settings;
in {
services.nginx = { services.nginx = {
enable = true; enable = true;
enableReload = true; enableReload = true;
@@ -34,7 +31,7 @@ in {
# Publicly exposed services: # Publicly exposed services:
services.nginx.virtualHosts = let services.nginx.virtualHosts = let
publicProxy = upstream: overrides: { publicProxy = upstream: {
listen = [ listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; } { addr = "192.168.10.175"; port = 43080; ssl = false; }
@@ -52,22 +49,11 @@ in {
server_tokens off; server_tokens off;
''; '';
} // overrides; };
in { in {
"amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { }; "auth.feal.no" = publicProxy "https://voyager.home.feal.no";
"cloud.feal.no" = publicProxy "" { "cloud.feal.no" = publicProxy "http://voyager.home.feal.no";
locations."/" = { "git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
proxyPass = "http://challenger.home.feal.no"; "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
extraConfig = ''
client_max_body_size 8G;
'';
};
};
"feal.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.feal.no" ]; };
"git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { default = true; };
"iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { };
"jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/" { };
"kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.kinealbrigtsen.no" ]; };
"wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { };
}; };
} }

11
hosts/defiant/services/postgresql.nix
View File

@@ -2,24 +2,17 @@
{ {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
enableTCPIP = true; enableTCPIP = false;
authentication = ''
host all all 172.16.0.0/12 md5
'';
}; };
services.postgresqlBackup = { services.postgresqlBackup = {
enable = true; enable = true;
location = "/tank/backup/postgresql"; location = "/data/backup/postgresql/";
startAt = "*-*-* 03:15:00"; startAt = "*-*-* 03:15:00";
# Each service is registered in its own configuration file # Each service is registered in its own configuration file
databases = [ ]; databases = [ ];
}; };
# Docker containers on this host can reach postgres
networking.firewall.extraCommands = "iptables -A INPUT -p tcp --destination-port 5432 -s 172.16.0.0/12 -j ACCEPT";
environment.systemPackages = [ config.services.postgresql.package ]; environment.systemPackages = [ config.services.postgresql.package ];
} }

14
hosts/defiant/services/rtl-tcp.nix
View File

@@ -1,14 +0,0 @@
{ config, pkgs, lib, ... }:
let
port = 1457;
in {
hardware.rtl-sdr.enable = true;
systemd.services.rtl-tcp = {
script = "${pkgs.rtl-sdr}/bin/rtl_tcp -a 0.0.0.0 -p ${toString port} -s 2000000 -T";
serviceConfig = {
Group = "plugdev";
};
};
networking.firewall.allowedTCPPorts = [ port ];
}

39
hosts/defiant/services/searx.nix
View File

@@ -1,39 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.searx;
domain = "search.home.feal.no";
in {
services.searx = {
enable = true;
environmentFile = config.sops.secrets."searx/envfile".path;
settings = {
server = {
secret_key = "@SEARX_SECRET_KEY@";
base_url = "http://${domain}";
};
};
runInUwsgi = true;
uwsgiConfig = {
socket = "/run/searx/searx.sock";
chmod-socket = "660";
};
redisCreateLocally = true;
};
sops.secrets."searx/envfile" = {
owner = "searx";
group = "searx";
};
users.groups."searx".members = [ "nginx" ];
services.nginx.virtualHosts."${domain}" = {
locations."/".extraConfig = ''
include ${config.services.nginx.package}/conf/uwsgi_params;
uwsgi_pass unix:${cfg.uwsgiConfig.socket};
'';
};
}

28
hosts/defiant/services/wireguard.nix
View File

@@ -30,9 +30,33 @@ in {
"10.100.0.2/32" "10.100.0.2/32"
"192.168.11.0/24" "192.168.11.0/24"
]; ];
#endpoint = "site2.feal.no:51902"; endpoint = "site2.feal.no:51902";
} }
] ++ (import ../../../common/wireguard-peers.nix); { # Sulu
publicKey = "j6YVekgGS4nhL5zUiOTeK2BVQkYGlTQaiUpwcqQyfRk=";
allowedIPs = [
"10.100.0.3/32"
];
}
{ # Worf
publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
allowedIPs = [
"10.100.0.4/32"
];
}
{ # Phone
publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
allowedIPs = [
"10.100.0.5/32"
];
}
{ # Riker
publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
allowedIPs = [
"10.100.0.6/32"
];
}
];
}; };
}; };
} }

55
hosts/edison/configuration.nix Normal file
View File

@@ -0,0 +1,55 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
./hardware-configuration.nix
./desktop
];
virtualisation.docker.enable = true;
systemd.coredump.enable = true;
networking = {
hostName = "edison";
defaultGateway = "192.168.10.1";
interfaces.enp4s0.useDHCP = false;
interfaces.enp4s0.ipv4.addresses = [
{ address = "192.168.10.170"; prefixLength = 24; }
];
hostId = "8e84b281";
};
console.keyMap = "us";
# sops.defaultSopsFile = ../../secrets/edison/edison.yaml;
environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
discord
gimp
gparted
openvpn
pavucontrol
unstable.element-desktop
unstable.hydrus
];
programs.steam.enable = true;
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"discord"
"nvidia-x11"
"nvidia-settings"
"steam"
"steam-original"
"steam-run"
];
system.stateVersion = "23.05";
}

91
hosts/edison/desktop/default.nix Normal file
View File

@@ -0,0 +1,91 @@
{ config, pkgs, lib, ... }:
{
imports = [
./remote.nix
./gnome.nix
./xfce.nix
];
services.xserver = {
enable = true;
displayManager.gdm = {
enable = true;
wayland = true;
};
videoDrivers = [ "nvidia" ];
xkbOptions = "ctrl:nocaps";
layout = "no,us";
xkbVariant = "intl";
};
#hardware.nvidia.modesetting.enable = true; # TODO: Fix this. Steam crashes, and textures/fonts unload when suspended.
hardware.keyboard.zsa.enable = true;
environment.sessionVariables.NIXOS_OZONE_WL = "1";
environment.systemPackages = with pkgs; [
xclip
];
hardware.opengl.enable = true;
# Audio
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
hardware.pulseaudio.enable = false;
# Fonts
fonts = {
fontDir.enable = true;
packages = with pkgs; [
noto-fonts
noto-fonts-emoji
noto-fonts-cjk-sans
font-awesome
fira-code
hack-font
(nerdfonts.override {
fonts = [
"Hack"
];
})
];
};
# Dark mode
home-manager.users.felixalb = {
dconf.settings = {
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
};
};
gtk = {
enable = true;
theme = {
name = "Adwaita-dark";
package = pkgs.gnome.gnome-themes-extra;
};
};
};
qt = {
enable = true;
platformTheme = "gnome";
style = "adwaita-dark";
};
# Misc:
xdg.portal = {
enable = true;
wlr.enable = true;
};
location.provider = "geoclue2";
security.polkit.enable = true;
services.flatpak.enable = true;
services.redshift.enable = true;
users.users."felixalb".packages = [ pkgs.flatpak ];
}

10
hosts/edison/desktop/gnome.nix Normal file
View File

@@ -0,0 +1,10 @@
{ config, pkgs, lib, ... }:
{
services.xserver.desktopManager.gnome.enable = true;
environment.systemPackages = with pkgs; [
gnomeExtensions.appindicator
gnome.adwaita-icon-theme
];
services.udev.packages = with pkgs; [ gnome.gnome-settings-daemon ];
programs.dconf.enable = true;
}

12
hosts/edison/desktop/remote.nix Normal file
View File

@@ -0,0 +1,12 @@
{ config, pkgs, lib, ... }:
{
# Microsoft-style Remote Desktop:
services.xrdp = {
enable = true;
defaultWindowManager = "xfce4-session"; # Avoid fancy animations, no hyprland/GNOME!
openFirewall = true;
};
# X window forwarding with `ssh -Y`
services.openssh.settings.X11Forwarding = true;
}

10
hosts/edison/desktop/xfce.nix Normal file
View File

@@ -0,0 +1,10 @@
{ config, pkgs, lib, ... }:
{
services.xserver = {
desktopManager.xfce.enable = true;
};
environment.systemPackages = with pkgs; [
xfce.xfce4-pulseaudio-plugin
];
}

52
hosts/edison/email.nix Normal file
View File

@@ -0,0 +1,52 @@
{ config, pkgs, lib, ... }:
{
programs.neomutt = {
enable = true;
sidebar = {
enable = true;
width = 30;
};
sort = "reverse-threads";
vimKeys = true;
checkStatsInterval = 60;
};
programs.mbsync.enable = true;
programs.notmuch = {
enable = true;
hooks = {
preNew = "mbsync --all";
};
};
# programs.msmtp.enable = true;
accounts.email = {
accounts.felix-albrigtsen-it = rec {
address = "felix@albrigtsen.it";
userName = address;
primary = true;
realName = "Felix Albrigtsen";
signature = {
text = ''
Med vennlig hilsen
${realName}
'';
showSignature = "append";
};
imap.host = "imap.migadu.com";
smtp.host = "smtp.migadu.com";
passwordCommand = "cat ~/.secrets/email/migadu"; # yolo / TODO
mbsync = {
enable = true;
create = "maildir"; # Create subfolders locally
# expugne = "both";
};
msmtp.enable = true;
notmuch.enable = true;
neomutt.enable = true;
};
};
}

46
hosts/edison/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,46 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/14b254e1-d94f-4b9b-a910-7fcf7e33af46";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A197-7913";
fsType = "vfat";
};
fileSystems."/data" =
{ device = "/dev/disk/by-uuid/ebbdf34e-adec-4df3-bbed-20d80455f3f7";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/d56040a0-3009-4899-95fa-1b82e60e32e4"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

30
hosts/edison/home.nix Normal file
View File

@@ -0,0 +1,30 @@
{ pkgs, lib, ... }:
{
home.packages = with pkgs; [
nix-index
unstable.snicat
python3
] ++ (with python3Packages; [
beautifulsoup4
numpy
pillow
pwntools
pycryptodome
requests
]);
imports = [
./../../home/base.nix
./email.nix
];
programs = {
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
alacritty.enable = true;
firefox.enable = true;
rofi.enable = true;
};
home.stateVersion = "23.05";
}

59
hosts/fa-t14-2025/configuration.nix
View File

@@ -1,59 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
./hardware-configuration.nix
./desktop.nix
];
networking = {
networkmanager.enable = true;
wireguard.enable = true;
tempAddresses = "disabled";
hostName = "fa-t14-2025";
nameservers = [ "9.9.9.9" ];
domain = "it.hime.no";
hostId = "f458d6aa";
search = [
"mktv.no"
"mktv.local"
];
};
services.openssh.openFirewall = false;
environment.systemPackages = with pkgs; [
inetutils
wireguard-tools
];
virtualisation.docker = {
enable = true;
rootless = {
enable = true;
setSocketVariable = true;
};
};
users.users.felixalb = {
uid = 1000;
openssh.authorizedKeys.keys = [ ];
extraGroups = [ "networkmanager" ];
};
console.keyMap = "no";
nixpkgs.config = {
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"securecrt"
"securefx"
];
};
system.stateVersion = "25.05";
}

51
hosts/fa-t14-2025/desktop.nix
View File

@@ -1,51 +0,0 @@
{ config, pkgs, lib, ... }:
{
hardware.graphics.enable = true;
services.xserver = {
enable = true;
xkb = {
options = "ctrl:nocaps";
layout = "no";
};
};
services.displayManager.ly.enable = true;
services.gnome.gnome-keyring.enable = true;
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
# Audio
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
# Fonts
fonts = {
fontDir.enable = true;
packages = with pkgs; [
noto-fonts
noto-fonts-color-emoji
noto-fonts-cjk-sans
font-awesome
fira-code
hack-font
nerd-fonts.hack
];
};
# Misc:
xdg.portal = {
enable = true;
wlr.enable = true;
};
location.provider = "geoclue2";
security.polkit.enable = true;
services.dbus.packages = [ pkgs.gcr ];
services.openssh.settings.X11Forwarding = true;
programs.nm-applet.enable = true;
}

51
hosts/fa-t14-2025/hardware-configuration.nix
View File

@@ -1,51 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.kernelParams = [ "resume_offset=3037184" "mem_sleep_default=deep" ];
boot.resumeDevice = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
powerManagement.enable = true;
services.power-profiles-daemon.enable = true;
services.logind.lidSwitch = "suspend-then-hibernate";
services.logind.lidSwitchDocked = "ignore";
services.logind.powerKey = "suspend-then-hibernate";
services.logind.powerKeyLongPress = "poweroff";
fileSystems."/" =
{ device = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
fsType = "ext4";
};
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/3ecaedab-415c-4cce-a3a9-9f3782acb682";
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0800-59D9";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [
{
device = "/var/lib/swapfile";
size = 32*1024;
}
];
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

99
hosts/fa-t14-2025/home.nix
View File

@@ -1,99 +0,0 @@
{ pkgs, lib, ... }:
let
emailAddress = "felix.albrigtsen@mktv.no";
in {
imports = [
./../../home/base.nix
./../../home/alacritty.nix
];
home.packages = with pkgs; [
bc
catimg
chromium
dig
element-desktop
hunspellDicts.en_US
hunspellDicts.nb_NO
iperf3
jq
libreoffice
mpv
oauth2ms
openssl
openvpn
pavucontrol
pwgen
traceroute
virt-manager
w3m
nixpkgs-2211.remmina
(unstable.microsoft-edge.overrideAttrs ({ installPhase ? "", ... }: {
installPhase = installPhase + ''
ln -s $out/bin/microsoft-edge $out/bin/microsoft-edge-stable
'';
}))
# Window Manager Extras
bibata-cursors
brightnessctl
cliphist
hyprcursor
hypridle
hyprlock
hyprpaper
hyprshot
nautilus
rofi-rbw-wayland
swaynotificationcenter
waybar
wl-clipboard
(python312.withPackages (ps: with ps; [
numpy
pycryptodome
requests
]))
];
programs = {
aerc = {
enable = true;
package = pkgs.aerc;
};
firefox.enable = true;
git.extraConfig.user.email = emailAddress;
rbw = {
enable = true;
settings = {
base_url = "https://vault.mktv.no";
email = emailAddress;
pinentry = pkgs.pinentry-rofi;
};
};
rofi = {
enable = true;
# theme = "iggy";
theme = "Arc-Dark";
};
zsh = {
shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
prezto.pmodules = [ "ssh" ];
};
};
xdg.mimeApps = {
enable = true;
defaultApplications = {
"text/html" = "firefox.desktop";
"x-scheme-handler/http" = "firefox.desktop";
"x-scheme-handler/https" = "firefox.desktop";
"x-scheme-handler/about" = "firefox.desktop";
"x-scheme-handler/unknown" = "firefox.desktop";
};
};
home.stateVersion = "25.05";
}

53
hosts/leonard/configuration.nix
View File

@@ -1,53 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
../../common/auto-upgrade.nix
./hardware-configuration.nix
./services/mysql.nix
./services/nginx.nix
./services/postgresql.nix
./services/wiki-wackattack-eu.nix
./services/www-feal-no
./services/www-kinealbrigtsen-no.nix
./services/www-amalie-mansaker-no
];
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking = {
hostName = "leonard";
defaultGateway = "192.168.10.1";
interfaces.ens18.ipv4 = {
addresses = [
{ address = "192.168.10.207"; prefixLength = 24; }
];
};
hostId = "b99c12d1";
# Prepend the following output rules to disallow talking to other devices on LAN
firewall.extraCommands = lib.strings.concatLines ([
"iptables -F OUTPUT"
] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
"iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
"iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
"iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
"iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
]);
};
sops.defaultSopsFile = ../../secrets/leonard/leonard.yaml;
environment.variables = { EDITOR = "vim"; };
system.stateVersion = "25.05";
}

24
hosts/leonard/hardware-configuration.nix
View File

@@ -1,24 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4a70c1d5-9d72-4581-8f75-733b91c10669";
fsType = "ext4";
};
swapDevices = [ ]; # TODO
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

10
hosts/leonard/services/mysql.nix
View File

@@ -1,10 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.mysql = {
enable = true;
package = pkgs.mariadb;
};
# TODO: services.mysqlBackup
}

20
hosts/leonard/services/postgresql.nix
View File

@@ -1,20 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.postgresql = {
enable = true;
enableTCPIP = false;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
services.postgresqlBackup = {
enable = true;
location = "/backup/postgresql/";
startAt = "*-*-* 03:15:00";
backupAll = true;
};
environment.systemPackages = [ config.services.postgresql.package ];
}

38
hosts/leonard/services/wiki-wackattack-eu.nix
View File

@@ -1,38 +0,0 @@
{ config, ... }:
let
bindIP = "127.0.1.2";
port = 5051;
cfg = config.services.wiki-js;
in {
# sops.secrets."wikijs/envfile" = {
# restartUnits = [ "wiki-js.service" ];
# };
services.wiki-js = {
enable = true;
# environmentFile = config.sops.secrets."wikijs/envfile".path;
settings = {
inherit bindIP port;
db = {
type = "postgres";
host = "/run/postgresql";
db = "wiki-js";
user = "wiki-js";
};
};
};
services.postgresql = {
ensureDatabases = [ "wiki-js" ];
ensureUsers = [{
name = "wiki-js";
ensureDBOwnership = true;
}];
};
services.nginx.virtualHosts."wiki.wackattack.eu" = {
locations."/" = {
proxyPass = "http://${bindIP}:${toString port}";
};
};
}

11
hosts/leonard/services/www-amalie-mansaker-no/default.nix
View File

@@ -1,11 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.nginx.virtualHosts."amalie.mansaker.no" = let
siteContent = pkgs.callPackage ./site.nix { };
in {
locations = {
"/".root = siteContent;
};
};
}

26
hosts/leonard/services/www-amalie-mansaker-no/site.nix
View File

@@ -1,26 +0,0 @@
{ stdenv, fetchgit, hugo }:
stdenv.mkDerivation {
name = "www-amalie-mansaker-no";
src = fetchgit {
url = "https://git.feal.no/amalieem/amalie.mansaker.no.git";
fetchSubmodules = true;
rev = "15142c93da33414a0be49384a03b704ad95e31be";
hash = "sha256-oq5NC11UDYjYKToPsEXovCiIBD5adamVwi3scOFzpHM=";
};
nativeBuildInputs = [ hugo ];
buildPhase = ''
cp -r $src/* .
${hugo}/bin/hugo
'';
installPhase = ''
runHook preInstall
mkdir -p $out
cp -r public/* $out/
runHook postInstall
'';
}

26
hosts/leonard/services/www-feal-no/default.nix
View File

@@ -1,26 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.nginx.virtualHosts."feal.no" = {
default = true;
serverAliases = [
"www.feal.no"
];
locations = {
# TODO: Reinstate actual website
"/".return = "302 https://git.feal.no/";
"^~ /.well-known/" = {
alias = (toString ./well-known) + "/";
};
"/cc/" = {
alias = "${pkgs.cyberchef}/share/cyberchef/";
index = "index.html";
};
"= /cc".return = "302 /cc/";
};
};
}

5
hosts/leonard/services/www-feal-no/well-known/matrix/client
View File

@@ -1,5 +0,0 @@
{
"m.homeserver": {
"base_url": "https://matrix.feal.no:443"
}
}

1
hosts/leonard/services/www-feal-no/well-known/matrix/server
View File

@@ -1 +0,0 @@
{"m.server": "matrix.feal.no:443"}

95
hosts/leonard/services/www-kinealbrigtsen-no.nix
View File

@@ -1,95 +0,0 @@
{ config, pkgs, lib, ... }:
{
users.users.www-kinealbrigtsen-no = {
isSystemUser = true;
group = "www-kinealbrigtsen-no";
};
users.groups.www-kinealbrigtsen-no = { };
services.mysql.ensureDatabases = [
"www_kinealbrigtsen_no"
];
services.mysql.ensureUsers = [
{
name = "www-kinealbrigtsen-no";
ensurePermissions = {
# "www_kinealbrigtsen_no.*" = "ALL PRIVILEGES"; # For upgrades and special procedures
"www_kinealbrigtsen_no.*" = "SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX";
};
}
];
services.phpfpm.pools.www-kinealbrigtsen-no = {
user = "www-kinealbrigtsen-no";
group = "www-kinealbrigtsen-no";
phpOptions = lib.generators.toKeyValue {} {
upload_max_filesize = "1000M";
post_max_size = "1000M";
memory_limit = "1000M";
};
settings = {
"listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.process_idle_timeout" = "10s";
"pm.max_requests" = 1000;
};
};
services.nginx.virtualHosts."kinealbrigtsen.no" = {
serverAliases = [ "www.kinealbrigtsen.no" ];
root = "/var/www/www-kinealbrigtsen-no";
locations = {
"/".extraConfig = ''
try_files $uri $uri/ /index.php?$args;
'';
"~ \\.php$".extraConfig = ''
include ${config.services.nginx.package}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:${config.services.phpfpm.pools.www-kinealbrigtsen-no.socket};
'';
"~ /\\.ht".extraConfig = ''
deny all;
'';
"/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
"/robots.txt".extraConfig = ''
allow all;
log_not_found off;
access_log off;
'';
"~* \\.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig = ''
expires max;
log_not_found off;
'';
};
extraConfig = ''
index index.php index.html;
set_real_ip_from 192.168.11.0/24;
real_ip_header X-Forwarded-For;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
'';
};
# TODO:
# - Configure a mailer so wp_mail() works
# - Enable periodic backups
}

35
hosts/morn/configuration.nix
View File

@@ -1,35 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
../../common/auto-upgrade.nix
./hardware-configuration.nix
./services/nginx.nix
./services/glance
./services/miniflux.nix
./services/thelounge.nix
];
networking = {
hostName = "morn";
defaultGateway = "192.168.10.1";
interfaces.ens18.ipv4 = {
addresses = [
{ address = "192.168.10.203"; prefixLength = 24; }
];
};
hostId = "89b7722d";
};
sops.defaultSopsFile = ../../secrets/morn/morn.yaml;
environment.variables = { EDITOR = "vim"; };
system.stateVersion = "24.11";
}

12
hosts/morn/home.nix
View File

@@ -1,12 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [
./../../home/base.nix
];
programs = {
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
};
home.stateVersion = "24.11";
}

15
hosts/morn/services/glance/default.nix
View File

@@ -1,15 +0,0 @@
{ config, values, ... }:
{
services.glance = {
enable = true;
settings = import ./settings.nix;
};
services.nginx.virtualHosts."glance.home.feal.no" = let
inherit (config.services.glance.settings.server) host port;
in {
locations."/" = {
proxyPass = "http://${host}:${toString port}";
};
};
}

83
hosts/morn/services/glance/settings.nix
View File

@@ -1,83 +0,0 @@
{ config, ... }:
{
server = {
port = 5001;
host = "127.0.1.2";
};
pages =
let
fullCol = widgets: {
size = "full";
inherit widgets;
};
in
[
{
name = "Home";
columns = [
(fullCol [
{
type = "search";
search-engine = "http://search.home.feal.no/search?q={QUERY}";
}
{
type = "weather";
units = "metric";
location = "Trondheim, Norway";
}
])
(fullCol [
{
type = "hacker-news";
limit = 20;
collapse-after = 5;
}
{
type = "monitor";
cache = "5m";
sites =
let
site = title: url: { inherit title url; };
in
[
(site "Jellyfin" "http://jellyfin.home.feal.no")
(site "Gitea" "https://git.feal.no")
(site "VaultWarden" "https://pw.feal.no")
];
}
])
];
}
{
name = "News";
columns =
let
feed = title: url: { inherit title url; };
rss = title: feeds: {
type = "rss";
inherit title feeds;
};
in
[
(fullCol [
(rss "Norway" [
(feed "NRK" "https://www.nrk.no/toppsaker.rss")
(feed "Bygdeposten" "https://www.bygdeposten.no/service/rss")
(feed "Nidaros" "https://www.nidaros.no/service/rss")
])
])
(fullCol [
(rss "NTNU" [
(feed "OmegaV" "https://omegav.no/newsrss")
(feed "PVV" "https://www.pvv.ntnu.no/w/api.php?hidebots=1&urlversion=1&days=7&limit=50&action=feedrecentchanges&feedformat=atom")
(feed "IT-Varsel" "https://varsel.it.ntnu.no/subscribe/rss/")
])
])
];
}
];
}

23
hosts/morn/services/miniflux.nix
View File

@@ -1,23 +0,0 @@
{ config, pkgs, lib, ... }:
let
domain = "rss.home.feal.no";
listen_addr = "127.0.1.2:5051";
in {
sops.secrets."miniflux/env" = { };
services.miniflux = {
enable = true;
adminCredentialsFile = config.sops.secrets."miniflux/env".path;
config = {
CREATE_ADMIN = true;
LISTEN_ADDR = listen_addr;
BASE_URL = "http://${domain}";
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://${listen_addr}";
};
}

19
hosts/morn/services/nginx.nix
View File

@@ -1,19 +0,0 @@
{ config, values, ... }:
{
services.nginx = {
enable = true;
enableReload = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = "felix@albrigtsen.it";
};
}

73
hosts/redshirt/configuration.nix Normal file
View File

@@ -0,0 +1,73 @@
{ config, pkgs, ... }:
{
imports =
[
../../base.nix
./hardware-configuration.nix
];
networking.hostName = "redshirt";
networking.networkmanager.enable = true;
# Enable the X11 windowing system.
services.xserver = {
enable = true;
windowManager = {
qtile.enable = true;
};
# Enable touchpad support (enabled default in most desktopManager).
libinput.enable = true;
};
# The NixOS module enables critical components needed to run Hyprland properly, such as: polkit, xdg-desktop-portal-hyprland, graphics drivers, fonts, dconf, xwayland, and adding a proper Desktop Entry to your Display Manager.
#programs.hyprland = {
# enable = true;
# package = pkgs.unstable.hyprland;
#};
services.xserver.displayManager = {
lightdm.enable = true;
#defaultSession = "hyprland";
};
# Configure keymap in X11
services.xserver.layout = "no";
fonts.fonts = with pkgs; [
(nerdfonts.override { fonts = [ "FiraCode" "Hack" ]; })
];
sound.enable = true;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
users.users.felixalb = {
extraGroups = [ "networkmanager" ];
};
environment.systemPackages = with pkgs; [
zsh
neovim
git
ripgrep
rsync
cifs-utils
];
documentation.man.generateCaches = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
system.stateVersion = "22.11";
}

41
hosts/redshirt/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,41 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/0d709ab3-0d10-46eb-9e4f-10a320af703e";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/6EE9-1C06";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/2067bbb4-b4fa-4326-9f58-4018857058a7"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

90
hosts/sisko/configuration.nix
View File

@@ -1,90 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
./hardware-configuration.nix
./desktop.nix
];
networking = {
hostName = "sisko";
# networkmanager.enable = true;
defaultGateway = "192.168.10.1";
interfaces.enp14s0 = {
ipv4 = {
addresses = [
{ address = "192.168.10.172"; prefixLength = 24; }
];
};
wakeOnLan.enable = true;
};
hostId = "b716d781";
};
hardware.bluetooth.enable = true;
hardware.rtl-sdr.enable = true;
sops.defaultSopsFile = ../../secrets/sisko/sisko.yaml;
environment.variables = { EDITOR = "vim"; };
users.users.felixalb.extraGroups = [
"dialout"
"libvirtd"
"networkmanager"
"plugdev"
];
programs = {
alvr = {
enable = true;
openFirewall = true;
};
firefox = {
enable = true;
nativeMessagingHosts.packages = with pkgs; [ tridactyl-native ];
};
gamemode.enable = true;
immersed.enable = true;
steam = {
enable = true;
remotePlay.openFirewall = true;
};
virt-manager.enable = true;
};
virtualisation = {
libvirtd.enable = true;
spiceUSBRedirection.enable = true;
};
environment.systemPackages = with pkgs; [
virtiofsd
];
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
nixpkgs.config = {
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"discord"
"immersed"
"spotify"
"steam"
"steam-unwrapped"
];
permittedInsecurePackages = [
"openssl-1.1.1w"
];
rocmSupport = true;
};
services.fwupd.enable = true;
system.stateVersion = "24.11";
}

70
hosts/sisko/desktop.nix
View File

@@ -1,70 +0,0 @@
{ config, pkgs, lib, ... }:
{
# Video
hardware.graphics = {
enable = true;
enable32Bit = true;
};
hardware.amdgpu.opencl.enable = true;
services.displayManager.ly.enable = true;
services.xserver.enable = true;
services.xserver.desktopManager.xfce.enable = true;
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
# Audio
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
# Misc
fonts = {
fontDir.enable = true;
packages = with pkgs; [
fira-code
font-awesome
hack-font
nerd-fonts.hack
noto-fonts
noto-fonts-cjk-sans
noto-fonts-color-emoji
];
};
environment.sessionVariables = {
NIXOS_OZONE_WL = "1";
SSH_AUTH_SOCK = "/run/user/${toString config.users.users.felixalb.uid}/keyring/ssh";
};
services.gnome.gnome-keyring.enable = true;
# Dark mode
home-manager.users.felixalb = {
dconf.settings = {
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
};
};
gtk = {
enable = true;
theme = {
name = "Adwaita-dark";
package = pkgs.gnome-themes-extra;
};
};
};
qt = {
enable = true;
platformTheme = "gnome";
style = "adwaita-dark";
};
}

55
hosts/sisko/hardware-configuration.nix
View File

@@ -1,55 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.extraModprobeConfig = "options bluetooth disable_ertm=1"; # Xbox controller
hardware.xpadneo.enable = true;
boot.kernel.sysctl = {
"vm.max_map_count" = 16777216;
# "fs.file-max" = 524288;
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/12CE-A600";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ {
device = "/swapfile";
size = 64*1024;
} ];
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.enp14s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp15s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

162
hosts/sisko/home.nix
View File

@@ -1,162 +0,0 @@
{ pkgs, lib, config, ... }:
{
imports = [
./../../home/base.nix
./../../home/alacritty.nix
];
home.packages = with pkgs; [
# GUI Applications
cantata
chromium
discord
easyeffects
element-desktop
emacs-gtk
feishin
gqrx
kitty
libreoffice
lutris
mpv
mumble
orca-slicer
papers
pavucontrol
picard
pkgsRocm.hashcat
prismlauncher
restic
runelite
spotify
swayimg
thunderbird
tor-browser
bolt-launcher
exiftool
ghidra
# pwndbg-gdb-alias # Broken in 25.05
snicat
# Window Manager Extras
bibata-cursors
cliphist
hyprcursor
hypridle
hyprlock
hyprpaper
hyprshot
nautilus
networkmanager
rofi-rbw-wayland
swaynotificationcenter
waybar
wl-clipboard
# Misc tools
abcde
bc
catimg
dante
dig
go
hunspellDicts.en_US
hunspellDicts.nb_NO
jq
nixpkgs-2211.remmina
ollama-rocm
openssl
playerctl
pwgen
restic
rocmPackages.clang
traceroute
w3m
(python313.withPackages (ps: with ps; [
numpy
pycryptodome
requests
]))
];
programs = {
aerc = {
enable = true;
package = pkgs.aerc;
};
alacritty = {
enable = true;
settings.window.opacity = 0.92;
};
ncmpcpp.enable = true;
rbw = {
enable = true;
settings = {
base_url = "https://pw.feal.no";
email = "felix@albrigtsen.it";
pinentry = pkgs.pinentry-gnome3;
};
};
rofi = {
enable = true;
theme = "iggy";
};
zsh = {
shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
prezto.pmodules = [ "ssh" ];
};
};
services = {
mpd = let
home = config.home.homeDirectory;
in {
enable = true;
musicDirectory = "${home}/mnt/music";
dataDir = "${home}/Music/mpd/data";
playlistDirectory = "${home}/Music/mpd/playlists";
extraConfig = ''
audio_output {
type "pipewire"
name "PipewireOut1"
}
'';
};
};
home.pointerCursor = {
name = "Bibata-Modern-Ice";
package = pkgs.bibata-cursors;
size = 24;
gtk.enable = true;
x11 = {
enable = true;
defaultCursor = true;
};
};
xdg.mimeApps = {
enable = true;
defaultApplications = {
"text/html" = "firefox.desktop";
"x-scheme-handler/http" = "firefox.desktop";
"x-scheme-handler/https" = "firefox.desktop";
"x-scheme-handler/about" = "firefox.desktop";
"x-scheme-handler/unknown" = "firefox.desktop";
"inode/directory" = "org.gnome.Nautilus.desktop";
"application/pdf" = "org.gnome.Papers.desktop";
} // builtins.listToAttrs (
builtins.map
( imgType: { name = "image/${imgType}"; value = "swayimg.desktop"; } )
[ "apng" "bmp" "gif" "heic" "heif" "jpeg" "png" "svg" "svg+xml" "tiff" ]
);
};
home.stateVersion = "24.11";
}

47
hosts/voyager/backup.nix Normal file
View File

@@ -0,0 +1,47 @@
{ config, pkgs, lib, ... }:
{
services.borgbackup.jobs =
let
borgJob = name: {
environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1";
environment.BORG_REMOTE_PATH = "/usr/local/bin/borg";
repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/voyager/${name}";
compression = "auto,zstd";
};
in {
postgresDaily = borgJob "postgres::daily" // {
paths = "/var/backup/postgres";
startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup
extraInitArgs = "--storage-quota 10G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
};
};
postgresWeekly = borgJob "postgres::weekly" // {
paths = "/var/backup/postgres";
startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup
extraInitArgs = "--storage-quota 10G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
};
};
transmission = borgJob "transmission::weekly" // {
paths = "/var/lib/transmission";
startAt = "weekly";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/transmission".path}";
};
};
# TODO: kanidm, timemachine, calibre(?), nextcloud
};
sops.secrets."borg/postgres" = { };
sops.secrets."borg/transmission" = { };
}

58
hosts/voyager/configuration.nix Normal file
View File

@@ -0,0 +1,58 @@
{ config, pkgs, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
./hardware-configuration.nix
./backup.nix
./exports.nix
./filesystems.nix
./services/calibre.nix
./services/fancontrol.nix
./services/jellyfin.nix
./services/kanidm.nix
./services/komga.nix
./services/nextcloud.nix
./services/nginx
./services/podgrab.nix
./services/postgres.nix
./services/snappymail.nix
./services/timemachine.nix
];
networking = {
hostName = "voyager";
bridges.br0.interfaces = [ "eno1" ];
interfaces.br0.useDHCP = false;
interfaces.br0.ipv4.addresses = [
{ address = "192.168.10.165"; prefixLength = 24; }
];
hostId = "8e84b235";
defaultGateway = "192.168.10.1";
};
sops.defaultSopsFile = ../../secrets/voyager/voyager.yaml;
environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
zfs
];
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
users.users."amalieem" = {
isNormalUser = true;
home = "/home/amalieem";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7e+BAoXIFmTeeBYAVImQAcyx6SCoYCErA7h16OGL70 amalieem@wentworth"
];
};
system.stateVersion = "22.11";
}

27
hosts/voyager/exports.nix Normal file
View File

@@ -0,0 +1,27 @@
{ config, pkgs, lib, ... }:
{
fileSystems = {
"/export/riker-backup" = {
device = "/tank/backup/riker";
options = [ "bind" ];
};
"/export/defiant-backup" = {
device = "/tank/backup/defiant";
options = [ "bind" ];
};
};
# Enable nfs4 only
services.nfs.server = {
enable = true;
exports = ''
/export 192.168.10.4(rw,fsid=0,no_subtree_check) 192.168.10.5(rw,fsid=0,no_subtree_check) 192.168.10.2(rw,fsid=0,no_subtree_check) 192.168.10.175(rw,fsid=0,no_subtree_check)
/export/riker-backup 192.168.10.2(rw,nohide,no_subtree_check,no_root_squash)
/export/doyle-backup 192.168.10.2(rw,nohide,no_subtree_check,no_root_squash)
/export/defiant-backup 192.168.10.175(rw,nohide,no_subtree_check,async,no_root_squash)
'';
};
networking.firewall.allowedTCPPorts = [ 111 2049 20048 ];
networking.firewall.allowedUDPPorts = [ 111 20048];
}

42
hosts/voyager/filesystems.nix Normal file
View File

@@ -0,0 +1,42 @@
{ config, pkgs, lib, ... }:
{
# Boot drives are defined in ./hardware-configuration.nix
environment.systemPackages = with pkgs; [ cifs-utils ];
# Local zfs
boot = {
zfs.extraPools = [ "tank" ];
supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed *-*-8..14 00:00:00";
};
# Network mounts (import)
fileSystems = {
"/mnt/feal-syn1/media" = {
device = "feal-syn1.home.feal.no:/volume2/media";
fsType = "nfs";
options = [ "vers=3" ];
#options = [ "x-systemd.automount" "noauto" ];
};
"/mnt/feal-syn1/nfs_proxmox" = {
device = "//feal-syn1.home.feal.no/nfs_proxmox";
fsType = "cifs";
options = let
# this line prevents hanging on network split
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
in ["${automount_opts},credentials=/etc/feal-syn1-credentials"];
};
"/var/backup" = {
device = "/tank/backup/voyager";
options = [ "bind "];
};
};
}

21
hosts/challenger/hardware-configuration.nix → hosts/voyager/hardware-configuration.nix
View File

@@ -1,30 +1,29 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports =
[ (modulesPath + "/profiles/qemu-guest.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/7101364b-9056-4309-afeb-3c17b220684f"; { device = "/dev/disk/by-uuid/a6465c1c-4c93-423d-84a9-e4ecb9520741";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/FDCE-A287"; { device = "/dev/disk/by-uuid/D0C1-97CE";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
}; };
swapDevices = [ { swapDevices = [ ];
device = "/swapfile";
size = 16*1024;
} ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -35,5 +34,5 @@
# networking.interfaces.idrac.useDHCP = lib.mkDefault true; # networking.interfaces.idrac.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

2
hosts/leonard/home.nix → hosts/voyager/home.nix
View File

@@ -8,5 +8,5 @@
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config"; zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
}; };
home.stateVersion = "25.05"; home.stateVersion = "23.05";
} }

108
hosts/voyager/modules/snappymail.nix Normal file
View File

@@ -0,0 +1,108 @@
{ config, pkgs, lib, ... }:
let
inherit (lib) mkDefault mkEnableOption mkForce mkIf mkOption mkPackageOption generators types;
cfg = config.services.snappymail;
maxUploadSize = "256M";
in {
options.services.snappymail = {
enable = mkEnableOption (lib.mdDoc "Snappymail");
package = mkOption {
type = types.package;
default = pkgs.snappymail;
defaultText = lib.mdDoc "pkgs.snappymail";
description = lib.mdDoc "Which snappymail package to use.";
};
dataDir = mkOption {
type = types.str;
default = "/var/lib/snappymail";
description = "State directory for snappymail";
};
hostname = mkOption {
type = types.str;
/* default = null; */
example = "mail.example.com";
description = "Enable nginx with this hostname, null disables nginx";
};
user = mkOption {
type = types.str;
default = "snappymail";
description = lib.mdDoc "System user under which snappymail runs";
};
group = mkOption {
type = types.str;
default = "snappymail";
description = lib.mdDoc "System group under which snappymail runs";
};
};
config = mkIf cfg.enable {
users.users = mkIf (cfg.user == "snappymail") {
snappymail = {
description = "Snappymail service";
group = cfg.group;
home = cfg.dataDir;
useDefaultShell = true;
createHome = true;
isSystemUser = true;
};
};
users.groups = mkIf (cfg.group == "snappymail") {
snappymail = {};
};
services.phpfpm.pools.snappymail = {
user = cfg.user;
group = cfg.group;
phpOptions = generators.toKeyValue {} {
upload_max_filesize = maxUploadSize;
post_max_size = maxUploadSize;
memory_limit = maxUploadSize;
};
settings = {
"listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group;
"pm" = "ondemand";
"pm.max_children" = 32;
"pm.process_idle_timeout" = "10s";
"pm.max_requests" = 500;
};
};
services.nginx = mkIf (cfg.hostname != null) {
virtualHosts."${cfg.hostname}" = {
locations."/".extraConfig = ''
index index.php;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
'';
locations."^~ /data".extraConfig = ''
deny all;
'';
locations."~ \.php$".extraConfig = ''
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:${config.services.phpfpm.pools.snappymail.socket};
'';
extraConfig = ''
client_max_body_size ${maxUploadSize};
'';
root = if (cfg.package == pkgs.snappymail) then
pkgs.snappymail.override {
dataPath = cfg.dataDir;
}
else cfg.package;
};
};
};
}

0
hosts/challenger/services/calibre.nix → hosts/voyager/services/calibre.nix
View File

63
hosts/voyager/services/fancontrol.nix Normal file
View File

@@ -0,0 +1,63 @@
{ config, lib, pkgs, ... }:
{
systemd.timers."fancontrol" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar="*:0/3";
Unit = "fancontrol.service";
};
};
systemd.services."fancontrol" = {
environment = {
TEMP_MIN_FALLING = "50";
TEMP_MAX_RISING = "56";
TEMP_CRIT = "70";
LOW_FAN_SPEED = "0x10";
};
script = ''
SET_FAN_MANUAL="0x30 0x30 0x01 0x00" # Enable manual control
SET_FAN_AUTO="0x30 0x30 0x01 0x01" # Disable manual control
SET_FAN_LOW="0x30 0x30 0x02 0xff $LOW_FAN_SPEED"
SET_FAN_MAX="0x30 0x30 0x02 0xff 0x64" # force 100%
# Get all temperatures readings starting with "Temp ", find all two digit numbers followed by spaces, find the largest one, trim the trailing space
maxcoretemp=$(${pkgs.ipmitool}/bin/ipmitool sdr type temperature | grep '^Temp ' | grep -Po '\d{2} ' | sort -nr | head -n1 | xargs)
# Verify that we read a valid number
ISNUMBER='^[0-9]+$'
if ! [[ $maxcoretemp =~ $ISNUMBER ]] ; then
echo "Error: could not read temperature" >&2
exit 2
fi
echo "Highest measured CPU temperature: '$maxcoretemp'"
if [ "$maxcoretemp" -gt "$TEMP_CRIT" ]; then
echo "TOO HOT, CRITICAL CPU TEMP"
${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_MANUAL
${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_MAX
exit 1
fi
if [ "$maxcoretemp" -gt "$TEMP_MAX_RISING" ]; then
echo "TOO HOT, switching to IDRAC fan controL"
${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_AUTO
exit 0
fi
if [ "$maxcoretemp" -lt "$TEMP_MIN_FALLING" ]; then
echo "Sufficiently cooled, stepping down fans"
${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_MANUAL
${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_LOW
exit 0
fi
echo "Temperature is between limits, doing nothing..."
'';
};
}

14
hosts/challenger/services/jellyfin.nix → hosts/voyager/services/jellyfin.nix
View File

@@ -6,6 +6,10 @@
users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" ]; users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" ];
systemd.services.jellyfin.serviceConfig = {
DeviceAllow = lib.mkForce [ "/dev/dri/card0" ];
};
services.nginx.virtualHosts."jellyfin.home.feal.no" = { services.nginx.virtualHosts."jellyfin.home.feal.no" = {
serverAliases = [ "jf.feal.no" ]; serverAliases = [ "jf.feal.no" ];
locations = { locations = {
@@ -32,4 +36,14 @@
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
''; '';
}; };
fileSystems."/tank/media/jellyfin/Music" = {
depends = [
"/tank/media/music"
"/tank/media/jellyfin"
];
options = [ "bind" ];
device = "/tank/media/music";
};
} }

47
hosts/voyager/services/kanidm.nix Normal file
View File

@@ -0,0 +1,47 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.kanidm;
certPath = "/etc/ssl-snakeoil/auth_feal_no";
ldapbindaddress = "0.0.0.0:636";
in {
# Kanidm - Identity management / auth provider
services.kanidm = {
enableServer = true;
serverSettings = {
origin = "https://${cfg.serverSettings.domain}";
domain = "auth.feal.no";
bindaddress = "127.0.1.2:8300";
inherit ldapbindaddress;
tls_chain = "/run/credentials/kanidm.service/cert.crt";
tls_key = "/run/credentials/kanidm.service/cert.key";
};
};
systemd.services.kanidm = {
serviceConfig.LoadCredential = [
"cert.crt:${certPath}.crt"
"cert.key:${certPath}.key"
];
};
services.nginx.virtualHosts."${cfg.serverSettings.domain}" = {
forceSSL = true;
sslCertificate = "${certPath}.crt";
sslCertificateKey = "${certPath}.key";
locations."/" = {
proxyPass = "https://${cfg.serverSettings.bindaddress}";
extraConfig = ''
proxy_ssl_verify off;
'';
};
};
environment = {
systemPackages = [ pkgs.kanidm ];
etc."kanidm/config".text = ''
uri="${cfg.serverSettings.origin}"
'';
};
}

18
hosts/challenger/services/komga.nix → hosts/voyager/services/komga.nix
View File

@@ -1,21 +1,19 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
domain = "komga.home.feal.no"; domain = "komga.home.feal.no";
port = 5001; cfg = config.services.komga;
in { in {
services.komga = {
enable = true;
stateDir = "/tank/media/komga";
settings.server = {
inherit port;
};
};
services.nginx.virtualHosts.${domain} = { services.nginx.virtualHosts.${domain} = {
locations."/".proxyPass = "http://127.0.0.1:${toString port}"; locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}";
extraConfig = '' extraConfig = ''
client_max_body_size 512M; client_max_body_size 512M;
''; '';
}; };
services.komga = {
enable = true;
stateDir = "/tank/media/komga";
port = 8034;
};
} }

94
hosts/voyager/services/nextcloud.nix Normal file
View File

@@ -0,0 +1,94 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.nextcloud;
hostName = "cloud.feal.no";
in {
services.nextcloud = {
enable = true;
package = pkgs.nextcloud29;
inherit hostName;
home = "/var/lib/nextcloud";
https = true;
webfinger = true;
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
adminuser = "ncadmin";
adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
};
settings = {
trusted_proxies = [ "192.168.10.175" ]; # defiant
default_phone_region = "NO";
};
phpOptions = {
"opcache.interned_strings_buffer" = "16";
"upload_max_filesize" = lib.mkForce "8G";
"post_max_size" = lib.mkForce "8G";
"memory_limit" = lib.mkForce "8G";
};
poolSettings = {
"pm" = "ondemand";
"pm.max_children" = 32;
"pm.process_idle_timeout" = "10s";
"pm.max_requests" = 500;
};
};
environment.systemPackages = [ cfg.occ ];
sops.secrets."nextcloud/adminpass" = {
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};
services.postgresql = {
ensureDatabases = [ "nextcloud" ];
ensureUsers = [ {
name = "nextcloud";
ensureDBOwnership = true;
} ];
};
systemd.services."nextcloud-setup" = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
systemd.services."phpfpm-nextcloud" = {
requires = [ "var-lib-nextcloud.mount" ];
serviceConfig = {
WorkingDirectory = "/var/lib/nextcloud";
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ReadWritePaths = [ "/var/lib/nextcloud" "/run/phpfpm" "/run/systemd" "/run/secrets" "/nix/store" ];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
};
};
fileSystems."/var/lib/nextcloud" = {
device = "/tank/nextcloud";
options = [ "bind "];
};
}

Some files were not shown because too many files have changed in this diff Show More